DTmonk

Member
Jul 31, 2006
13
0
151
South Africa
try this one,,,

hay bro,

I found this 2 days back, and its works great for WHM/scpanel servers.
athou its a lil tricky if you have a vps server, but i got myn to work on my real servers and my vps servers

My WHM/CPanel versions.
WHM 10.8.0 cPanel 10.9.0-R47
CentOS 4.4 i686 - WHM X v3.1.0

Firewall url.
http://www.configserver.com/cp/csf.html

Enjoy!!

DTmonk
-----------
-----------
 

DTmonk

Member
Jul 31, 2006
13
0
151
South Africa
Oh’ and one last thing, when you are configuring your firwall, be carfull of this option (LF_PARSE = ??)

If you set this option higher than 59 seconds, then youll find your server using 20-50% of its cpu,,,, but if you set it to 59 seconds like I have’ then your server wont even feel any stress. I think it’s a bug or something, other than that,,,, I’m smiling all the way, specially with the auto blocking features.
 

DReade83

Well-Known Member
Oct 20, 2006
196
0
166
Cheshire, UK
Right, I have CSF installed and I'm nearly done with correcting all the warnings in the Security Check screen. The LF_PARSE setting is set to 5. Is this OK?
 

DTmonk

Member
Jul 31, 2006
13
0
151
South Africa
Nop, cos that meens that its going to read the logs every 5 secounds, and thats no good as this is to streesfull,, rather you set it to 59 second like i have.

i will see if i can post my config file for you then you can see what work for me.

back in a 15min.

chow!!
 

DTmonk

Member
Jul 31, 2006
13
0
151
South Africa
part (1) of my settings.

Copyright 2006, Way to the Web Limited
# URL: http://www.waytotheweb.com
# Email: [email protected]
###############################################################################


TESTING = 0


TESTING_INTERVAL = 1


AUTO_UPDATES = 0


ETH_DEVICE =

# Unfiltered ethernet devices in a comma separated list (e.g "eth1,eth2")
ETH_DEVICE_SKIP =

# Lists of ports in the following comma separated lists can be added using a
# colon (e.g. 30000:35000).

# Allow incoming TCP ports
TCP_IN = 20,21,22,25,53,80,110,143,443,465,953,993,995,2082,2083,2086,2087,2095,2096

# Allow outgoing TCP ports
TCP_OUT = 20,21,22,25,37,43,53,80,110,113,443,587,873,953,2087,2089,2703

UDP_IN = 20,21,53,953


UDP_OUT = 20,21,53,113,123,873,953,6277
ICMP this settings will alow ping to enter and answer to retern, but will still provent my server
to participte in a dos attck, cos the server may not start the ping (I did this cos the data center is monitoring my server with pings.)

# Allow incoming PING
ICMP_IN = 1

# Allow outgoing PING
ICMP_OUT = 0


SMTP_BLOCK = 1

SMTP_ALLOWLOCAL = 1


this for VPS servers only
MONOLITHIC_KERNEL = 0


DROP_LOGGING = 1

DROP_IP_LOGGING = 1


DROP_ONLYRES = 1


DROP_NOLOG = 67,68,111,113,135:139,445,513,520,1026,1027,1234,1433,1434,1524,3127

PACKET_FILTER = 1


VERBOSE = 1

DYNDNS = 0


ALLOW_RES_PORTS = 0


DENY_IP_LIMIT = 250


GLOBAL_ALLOW =
GLOBAL_DENY =
LF_GLOBAL =

LF_DAEMON = 1

This is vey important, cos my options was to stop script brutu force, but not lock myself out or my users,,,, if you use my settings below, then if you are cought by logfile Demon,, then your only blocked from that port. I think this is best, as I usaly go an inspect the bloked IP's, and then add them MANUALY to my perminent deny list!!



from here,, down ,

LF_TRIGGER = 0

LF_SELECT = 1


LF_SSHD = 7

LF_FTPD = 20

LF_POP3D = 20

LF_IMAPD = 20


LF_HTACCESS = 1


LF_MODSEC = 1

LF_CPANEL = 20

LF_CSF = 1


LF_SSH_EMAIL_ALERT = 1


LF_SU_EMAIL_ALERT = 1

To here,,,, all the above very important,
 
Last edited:

DTmonk

Member
Jul 31, 2006
13
0
151
South Africa
part (2) of my settings.

LF_SCRIPT_ALERT = 1


LF_SCRIPT_LIMIT = 300


LF_SCRIPT_PERM = 0


LF_DIRWATCH = 300


LF_DIRWATCH_DISABLE = 1


LF_DIRWATCH_FILE = 0

Last Edit: 23/10/2006
best you follow chirpys advise and set LF parser



LF_INTERVAL = 180

very important that you not set this value to (low) or any higher than 59 seconds, as it seem to be bugy and then youll be using +-50%cpu whenst LFD is in sleep mode,,, you can verify for your self by looking at your current cpu usage

Last Edit: 23/10/2006
best you follow chirpys advise and set LF parser to
[5] seconds
LF_PARSE = 59 <------------------ correction please set to five [5]
LF_EMAIL_ALERT = 1


LT_EMAIL_ALERT = 1


LT_POP3D = 60


LT_IMAPD = 0


LF_DSHIELD = 7200

LF_DSHIELD_URL = http://feeds.dshield.org/block.txt


LF_SPAMHAUS = 7200

LF_SPAMHAUS_URL = http://www.spamhaus.org/drop/drop.lasso

also becarfull with this next few options, this because i think if you set it to low then you could disterb chat software, as the members may be blocked,,, so if you using chat software then play around with this nex few settings,,, this is with regard to (anty Dos) & connection tracking, (chating software) & (google spiders),,, Ive set myn high below.

CT_LIMIT = 300


CT_INTERVAL = 300


CT_EMAIL_ALERT = 1

CT_PERMANENT = 0

CT_BLOCK_TIME = 300


PT_LIMIT = 300

PT_INTERVAL = 300


PT_SKIP_HTTP = 0


PT_USERPROC = 10


PT_SMTP = 0

# OS settings
 
Last edited:

DTmonk

Member
Jul 31, 2006
13
0
151
South Africa
Hay bro, I hope that will help you,, cos I have tested that settings my self and have also tested the brute force protecton myself,,,,, every day sofare, this firewall has saved me bandwith & personal stress,,,, because within a 2minits of a brutus force password attcks on my servers,,,, then this firwall is stoping and blocking the attckers,,,

I smile every day whenst i look at my logs and see another one added to my bloklist.
my setting realy work,,, althou i still bissy to tweek more.

chow!!

:D
DTmonk
----------
----------
 

rikgarner

Well-Known Member
Mar 31, 2006
75
1
158
/dev/null
Chirpy's CSF is by far the best firewall and set of security-related tools I have seen for Cpanel, and he is a valued member of the Cpanel community.

Rich
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,462
25
473
Go on, have a guess
DTmonk said:
Nop, cos that meens that its going to read the logs every 5 secounds, and thats no good as this is to streesfull,, rather you set it to 59 second like i have.
That's no accurate as I mentioned in the main CSF thread. You should leave it at 5 seconds for very good performance reasons.