try this one,,,
hay bro,
I found this 2 days back, and its works great for WHM/scpanel servers.
athou its a lil tricky if you have a vps server, but i got myn to work on my real servers and my vps servers
My WHM/CPanel versions.
WHM 10.8.0 cPanel 10.9.0-R47
CentOS 4.4 i686 - WHM X v3.1.0
Firewall url.
http://www.configserver.com/cp/csf.html
Enjoy!!
DTmonk
-----------
-----------
hay bro,
I found this 2 days back, and its works great for WHM/scpanel servers.
athou its a lil tricky if you have a vps server, but i got myn to work on my real servers and my vps servers
My WHM/CPanel versions.
WHM 10.8.0 cPanel 10.9.0-R47
CentOS 4.4 i686 - WHM X v3.1.0
Firewall url.
http://www.configserver.com/cp/csf.html
Enjoy!!
DTmonk
-----------
-----------
Oh’ and one last thing, when you are configuring your firwall, be carfull of this option (LF_PARSE = ??)
If you set this option higher than 59 seconds, then youll find your server using 20-50% of its cpu,,,, but if you set it to 59 seconds like I have’ then your server wont even feel any stress. I think it’s a bug or something, other than that,,,, I’m smiling all the way, specially with the auto blocking features.
If you set this option higher than 59 seconds, then youll find your server using 20-50% of its cpu,,,, but if you set it to 59 seconds like I have’ then your server wont even feel any stress. I think it’s a bug or something, other than that,,,, I’m smiling all the way, specially with the auto blocking features.
Right, I have CSF installed and I'm nearly done with correcting all the warnings in the Security Check screen. The LF_PARSE setting is set to 5. Is this OK?
Nop, cos that meens that its going to read the logs every 5 secounds, and thats no good as this is to streesfull,, rather you set it to 59 second like i have.
i will see if i can post my config file for you then you can see what work for me.
back in a 15min.
chow!!
i will see if i can post my config file for you then you can see what work for me.
back in a 15min.
chow!!
part (1) of my settings.
Copyright 2006, Way to the Web Limited
# URL: http://www.waytotheweb.com
# Email: [email protected]
###############################################################################
TESTING = 0
TESTING_INTERVAL = 1
AUTO_UPDATES = 0
ETH_DEVICE =
# Unfiltered ethernet devices in a comma separated list (e.g "eth1,eth2")
ETH_DEVICE_SKIP =
# Lists of ports in the following comma separated lists can be added using a
# colon (e.g. 30000:35000).
# Allow incoming TCP ports
TCP_IN = 20,21,22,25,53,80,110,143,443,465,953,993,995,2082,2083,2086,2087,2095,2096
# Allow outgoing TCP ports
TCP_OUT = 20,21,22,25,37,43,53,80,110,113,443,587,873,953,2087,2089,2703
UDP_IN = 20,21,53,953
UDP_OUT = 20,21,53,113,123,873,953,6277
ICMP this settings will alow ping to enter and answer to retern, but will still provent my server
to participte in a dos attck, cos the server may not start the ping (I did this cos the data center is monitoring my server with pings.)
# Allow incoming PING
ICMP_IN = 1
# Allow outgoing PING
ICMP_OUT = 0
SMTP_BLOCK = 1
SMTP_ALLOWLOCAL = 1
this for VPS servers only
MONOLITHIC_KERNEL = 0
DROP_LOGGING = 1
DROP_IP_LOGGING = 1
DROP_ONLYRES = 1
DROP_NOLOG = 67,68,111,113,135:139,445,513,520,1026,1027,1234,1433,1434,1524,3127
PACKET_FILTER = 1
VERBOSE = 1
DYNDNS = 0
ALLOW_RES_PORTS = 0
DENY_IP_LIMIT = 250
GLOBAL_ALLOW =
GLOBAL_DENY =
LF_GLOBAL =
LF_DAEMON = 1
This is vey important, cos my options was to stop script brutu force, but not lock myself out or my users,,,, if you use my settings below, then if you are cought by logfile Demon,, then your only blocked from that port. I think this is best, as I usaly go an inspect the bloked IP's, and then add them MANUALY to my perminent deny list!!
from here,, down ,
LF_TRIGGER = 0
LF_SELECT = 1
LF_SSHD = 7
LF_FTPD = 20
LF_POP3D = 20
LF_IMAPD = 20
LF_HTACCESS = 1
LF_MODSEC = 1
LF_CPANEL = 20
LF_CSF = 1
LF_SSH_EMAIL_ALERT = 1
LF_SU_EMAIL_ALERT = 1
To here,,,, all the above very important,
Copyright 2006, Way to the Web Limited
# URL: http://www.waytotheweb.com
# Email: [email protected]
###############################################################################
TESTING = 0
TESTING_INTERVAL = 1
AUTO_UPDATES = 0
ETH_DEVICE =
# Unfiltered ethernet devices in a comma separated list (e.g "eth1,eth2")
ETH_DEVICE_SKIP =
# Lists of ports in the following comma separated lists can be added using a
# colon (e.g. 30000:35000).
# Allow incoming TCP ports
TCP_IN = 20,21,22,25,53,80,110,143,443,465,953,993,995,2082,2083,2086,2087,2095,2096
# Allow outgoing TCP ports
TCP_OUT = 20,21,22,25,37,43,53,80,110,113,443,587,873,953,2087,2089,2703
UDP_IN = 20,21,53,953
UDP_OUT = 20,21,53,113,123,873,953,6277
ICMP this settings will alow ping to enter and answer to retern, but will still provent my server
to participte in a dos attck, cos the server may not start the ping (I did this cos the data center is monitoring my server with pings.)
# Allow incoming PING
ICMP_IN = 1
# Allow outgoing PING
ICMP_OUT = 0
SMTP_BLOCK = 1
SMTP_ALLOWLOCAL = 1
this for VPS servers only
MONOLITHIC_KERNEL = 0
DROP_LOGGING = 1
DROP_IP_LOGGING = 1
DROP_ONLYRES = 1
DROP_NOLOG = 67,68,111,113,135:139,445,513,520,1026,1027,1234,1433,1434,1524,3127
PACKET_FILTER = 1
VERBOSE = 1
DYNDNS = 0
ALLOW_RES_PORTS = 0
DENY_IP_LIMIT = 250
GLOBAL_ALLOW =
GLOBAL_DENY =
LF_GLOBAL =
LF_DAEMON = 1
This is vey important, cos my options was to stop script brutu force, but not lock myself out or my users,,,, if you use my settings below, then if you are cought by logfile Demon,, then your only blocked from that port. I think this is best, as I usaly go an inspect the bloked IP's, and then add them MANUALY to my perminent deny list!!
from here,, down ,
LF_TRIGGER = 0
LF_SELECT = 1
LF_SSHD = 7
LF_FTPD = 20
LF_POP3D = 20
LF_IMAPD = 20
LF_HTACCESS = 1
LF_MODSEC = 1
LF_CPANEL = 20
LF_CSF = 1
LF_SSH_EMAIL_ALERT = 1
LF_SU_EMAIL_ALERT = 1
To here,,,, all the above very important,
Last edited:
part (2) of my settings.
LF_SCRIPT_ALERT = 1
LF_SCRIPT_LIMIT = 300
LF_SCRIPT_PERM = 0
LF_DIRWATCH = 300
LF_DIRWATCH_DISABLE = 1
LF_DIRWATCH_FILE = 0
Last Edit: 23/10/2006
best you follow chirpys advise and set LF parser
LF_INTERVAL = 180
very important that you not set this value to (low) or any higher than 59 seconds, as it seem to be bugy and then youll be using +-50%cpu whenst LFD is in sleep mode,,, you can verify for your self by looking at your current cpu usage
Last Edit: 23/10/2006
best you follow chirpys advise and set LF parser to[5] seconds
LF_PARSE = 59 <------------------ correction please set to five [5]
LF_EMAIL_ALERT = 1
LT_EMAIL_ALERT = 1
LT_POP3D = 60
LT_IMAPD = 0
LF_DSHIELD = 7200
LF_DSHIELD_URL = http://feeds.dshield.org/block.txt
LF_SPAMHAUS = 7200
LF_SPAMHAUS_URL = http://www.spamhaus.org/drop/drop.lasso
also becarfull with this next few options, this because i think if you set it to low then you could disterb chat software, as the members may be blocked,,, so if you using chat software then play around with this nex few settings,,, this is with regard to (anty Dos) & connection tracking, (chating software) & (google spiders),,, Ive set myn high below.
CT_LIMIT = 300
CT_INTERVAL = 300
CT_EMAIL_ALERT = 1
CT_PERMANENT = 0
CT_BLOCK_TIME = 300
PT_LIMIT = 300
PT_INTERVAL = 300
PT_SKIP_HTTP = 0
PT_USERPROC = 10
PT_SMTP = 0
# OS settings
LF_SCRIPT_ALERT = 1
LF_SCRIPT_LIMIT = 300
LF_SCRIPT_PERM = 0
LF_DIRWATCH = 300
LF_DIRWATCH_DISABLE = 1
LF_DIRWATCH_FILE = 0
Last Edit: 23/10/2006
best you follow chirpys advise and set LF parser
LF_INTERVAL = 180
very important that you not set this value to (low) or any higher than 59 seconds, as it seem to be bugy and then youll be using +-50%cpu whenst LFD is in sleep mode,,, you can verify for your self by looking at your current cpu usage
Last Edit: 23/10/2006
best you follow chirpys advise and set LF parser to[5] seconds
LF_PARSE = 59 <------------------ correction please set to five [5]
LF_EMAIL_ALERT = 1
LT_EMAIL_ALERT = 1
LT_POP3D = 60
LT_IMAPD = 0
LF_DSHIELD = 7200
LF_DSHIELD_URL = http://feeds.dshield.org/block.txt
LF_SPAMHAUS = 7200
LF_SPAMHAUS_URL = http://www.spamhaus.org/drop/drop.lasso
also becarfull with this next few options, this because i think if you set it to low then you could disterb chat software, as the members may be blocked,,, so if you using chat software then play around with this nex few settings,,, this is with regard to (anty Dos) & connection tracking, (chating software) & (google spiders),,, Ive set myn high below.
CT_LIMIT = 300
CT_INTERVAL = 300
CT_EMAIL_ALERT = 1
CT_PERMANENT = 0
CT_BLOCK_TIME = 300
PT_LIMIT = 300
PT_INTERVAL = 300
PT_SKIP_HTTP = 0
PT_USERPROC = 10
PT_SMTP = 0
# OS settings
Last edited:
Hay bro, I hope that will help you,, cos I have tested that settings my self and have also tested the brute force protecton myself,,,,, every day sofare, this firewall has saved me bandwith & personal stress,,,, because within a 2minits of a brutus force password attcks on my servers,,,, then this firwall is stoping and blocking the attckers,,,
I smile every day whenst i look at my logs and see another one added to my bloklist.
my setting realy work,,, althou i still bissy to tweek more.
chow!!
:D
DTmonk
----------
----------
I smile every day whenst i look at my logs and see another one added to my bloklist.
my setting realy work,,, althou i still bissy to tweek more.
chow!!
:D
DTmonk
----------
----------
Cool, thanks for the info. The software appears to do a real good job, so thank you for recommending it. :D
That's no accurate as I mentioned in the main CSF thread. You should leave it at 5 seconds for very good performance reasons.DTmonk said:
| Thread starter | Similar threads | Forum | Replies | Date |
|---|---|---|---|---|
| J | IP blocked in firewall won't unblock | Security | 5 | |
| X | SOLVED APF firewall | Security | 6 | |
| F | Issue with Firewall | Security | 3 | |
| R | Web Application Firewall Suggestion for OpenCart | Security | 3 | |
|
how to know WHY my firewall block a particular IP? | Security | 7 |