====== ConfigServer Security & Firewall (CSF) ======
See also **[[internet:mail:zimbra:zimbra_ose|Zimbra Collaboration Server - Open Source Edition]]**
http://configserver.com/cp/csf.html
http://configserver.com/free/csf/readme.txt
http://www.woktron.com/secure/knowledgebase/77/Installation-CSF-Firewall-on-CentOS-5-and-6.html
http://blog.softlayer.com/2013/iptables-tips-and-tricks-csf-configuration
http://pawapv.wordpress.com/2013/09/10/csf-firewall-installation-and-configuration/
http://www.bsntech.com/installing-configserver-firewall-on-ubuntu-1204/
* **Advanced Firewall**
* Replaces ''ufw'' and ''firewalld''
* **Log File Monitoring**
* Replaces ''fail2ban''
* **Webmin Module**
* Easy web browser management
* **IP Block Lists**
* Preconfigured
* Just enable the lists you want to use
===== Prerequisites =====
These commands also install **Webmin**, which enables a web GUI for CSF and host management.
==== Ubuntu ====
=== Webmin Already Installed ===
apt-get install unzip ipset libwww-perl liblist-compare-perl liblwp-protocol-https-perl \
libio-socket-ssl-perl libcrypt-ssleay-perl libnet-libidn-perl libio-socket-inet6-perl \
libsocket6-perl libgd-graph-perl
=== No Webmin Installed ===
echo -e "\n# Webmin\ndeb http://download.webmin.com/download/repository sarge contrib\ndeb http://webmin.mirror.somersettechsolutions.co.uk/repository sarge contrib" >> /etc/apt/sources.list
wget -q http://www.webmin.com/jcameron-key.asc -O- | sudo apt-key add -
add-apt-repository universe && apt update
apt install webmin unzip ipset libwww-perl liblist-compare-perl \
liblwp-protocol-https-perl libio-socket-ssl-perl libcrypt-ssleay-perl \
libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl libgd-graph-perl
===== Installation =====
==== Prep Default Firewall ====
You may optionally want to open a few holes in the default firewall just in case it ever gets turned back on.
=== Ubuntu ===
systemctl status ufw.service
ufw status verbose
ufw allow from proto tcp to any port 10000 #Webmin
==== Install CSF ====
http://www.maxwhale.com/how-to-install-csf-on-webmin/
http://www.ask-gabe.com/server-admin/how-to-install-csf-config-server-firewall-with-webmin-support/
:!: To ease installation, CSF **automatically opens ports for network services that are currently running**.
:!: Upon installation, CSF starts in **Testing Mode**. You must take it out of Testing Mode after revising the configuration.
:!: Upon installation, check the **OS Specific Settings** and verify that your OS was detected properly and that the **Log file locations** are correct.
rm -fv csf.tgz
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
==== Log Restrictions ====
:!: **Do not enable the log restriction feature of CSF when using Virtualmin**, at least not without serious research and testing. ''RESTRICT_SYSLOG = 0''
:!: If using ''RESTRICT_SYSLOG = 3'', you must create and add any important users (running services) to the ''mysyslog'' group:
ps -aux
groupadd mysyslog # if the group doesn't already exist
usermod -G mysyslog root
# syslog daemon messagebus systemd-network systemd-resolve
# clamav www-data, proftpd, postfix, mysql, dovecot, opendkim, postgrey, zimbra, lool
grep mysyslog /etc/group
==== Install the CSF Webmin Module ====
**Webmin -> Webmin Configuration -> Webmin Modules -> From local file -> ''/etc/csf/csfwebmin.tgz'' -> Install Module**
==== Ubuntu Startup ====
If you have another firewall configured, stop it and make sure it doesn't auto-start or just remove it.
Disable the the existing firewall; enable and start CSF and LFD:
ufw disable
systemctl disable firewalld.service && systemctl stop firewalld.service
systemctl disable fail2ban.service && systemctl stop fail2ban.service
csf -e && lfd -e
csf -s && lfd -s
The CSF install script will enable CSF to auto-start.
==== CentOS Startup ====
Disable and stop ''iptables'' and ''firewalld'':
service iptables stop && chkconfig iptables off
service ip6tables stop && chkconfig ip6tables off
systemctl stop firewalld && systemctl disable firewalld
Enable and start CSF and LFD:
chkconfig csf on
csf -e && lfd -e
csf -s && lfd -s
==== Verify Functionality ====
perl /usr/local/csf/bin/csftest.pl
===== SSH Login Tracking =====
vim /etc/csf/csf.ignore
Disable repeated message reduction in ''rsyslog'' to more accurately count login failures:
grep -r Repeat /etc/rsyslog.*
sudo sed -i 's/RepeatedMsgReduction\ on/RepeatedMsgReduction\ off/' /etc/rsyslog.conf
sudo service rsyslog restart
sudo csf -ra
===== Basic Command Line =====
http://www.linuxbrigade.com/learn-the-csf-command-line-options/
http://www.hostdime.com/resources/csf-ssh-command-line-commands/
|csf |will list all commands |
|csf -l |shows CSF status |
|csf -d IPADDRESS |will deny an IP |
|csf -a IPADDRESS |will allow an IP |
|csf -r |will reload all rules |
|csf -ra |will restart CSF and LFD |
|csf -f |will flush/unload all rules - LFD may restart CSF |
|csf -u |Update CSF |
|csf -e |Starts the CSF service |
|service csf restart |will restart the CSF service |
|service lfd restart |will restart the LFD service |
|csf -x |will stop and disable CSF and LFD |
===== Configuration =====
**Admin URL**: https://ip.of.csf.host:10000/
==== Configure Webmin ====
**Webmin -> Webmin Configuration -> Webmin Modules -> From local file > /etc/csf/csfwebmin.tgz > Install Module**
:!: Settings shown are for Virtualmin hosting server.
http://www.woktron.com/secure/knowledgebase/77/Installation-CSF-Firewall-on-CentOS-5-and-6.html
https://www.digitalocean.com/community/articles/how-to-install-and-configure-config-server-firewall-csf-on-ubuntu
**Webmin -> System -> ConfigServer Security & Firewall**
==== Sample Firewall Configuration ====
^Setting ^Value ^
|Testing |0 |
|IPV6 |1 |
|TCP_IN |20,21,22,25,53,80,110,143,443,465,587,993,995 |
|TCP_OUT |20,21,22,25,53,80,110,113,443 |
|UDP_IN |20,21,53 |
|UDP_OUT |20,21,53,113,123,33434:33523 |
|TCP6_IN |20,21,22,25,53,80,110,143,443,465,587,993,995 |
|TCP6_OUT |20,21,22,25,53,80,110,113,443 |
|UDP6_IN |20,21,53 |
|UDP6_OUT |20,21,53,113,123,33434:33523 |
|USE_CONNTRACK |1 |
|SYSLOG_CHECK |600 |
|DENY_IP_LIMIT |1000 |
|DENY_TEMP_IP_LIMIT |1000 |
|LF_IPSET |1 |
|SYNFLOOD |1 |
|CONNLIMIT |22;10,80;30,110;5,143;5,443;30,465;5,587;5,993;5,995;5 |
|PORTFLOOD |22;tcp;15;300,80;tcp;20;5,110;tcp;20;5,143;tcp;20;5,443;tcp;20;5,465;tcp;20;5,587;tcp;20;5,993;tcp;20;5,995;tcp;20;5 |
|DROP_OUT_LOGGING |1 |
|CONNLIMIT_LOGGING |1 |
|LF_PERMBLOCK_COUNT |2 |
|LF_NETBLOCK |1 |
|SAFECHAINUPDATE |1 |
|DYNDNS |600 |
|URLGET |2 |
|LF_SELECT |1 :?: If your server doesn't offer the following, why bother? |
|LF_SSHD |5 |
|LF_SSHD_PERM |600 |
|LF_FTPD |10 |
|LF_FTPD_PERM |600 |
|LF_SMTPAUTH |10 |
|LF_SMTPAUTH_PERM |600 |
|LF_POP3D |10 |
|LF_POP3D_PERM |600 |
|LF_IMAPD |10 |
|LF_IMAPD_PERM |600 |
|LF_HTACCESS |5 |
|LF_HTACCESS_PERM |600 |
|LF_MODSEC |5 |
|LF_MODSEC_PERM |600 |
|LF_BIND |100 |
|LF_BIND_PERM |600 |
|LF_SUHOSIN |5 |
|LF_SUHOSIN_PERM |600 |
|LF_CXS |1 |
|LF_WEBMIN |10 |
|LF_WEBMIN_PERM |600 |
|LF_APACHE_404 |100 |
|LF_APACHE_403 |100 |
|LF_DISTATTACK |1 |
|LF_DISTFTP |5 |
|LF_DISTSMTP |5 |
|LT_POP3D |60 |
|LT_IMAPD |100 |
|LT_SKIPPERMBLOCK |1 |
|CT_LIMIT |300 |
==== Sample Allow Entries ====
* ''s'' is for source, ''d'' is for destination (ports or addresses).
* ''in'' (incoming) or ''out'' (outgoing) is allowed.
* ''tcp'', ''udp'' or ''icmp'' are the protocol choices.
* If you just place an IP address on the line, all traffic will be allowed to and from that IP.
* CIDR address blocks are also allowed.
Edit ''/etc/csf/csf.allow'':
vim /etc/csf/csf.allow
To allow access to port 25 from a particular IP address, add a line like:
tcp|in|d=25|s=1.2.3.4
To allow outbound mail to port 587 to a particular mail server IP address, add a line like:
tcp|out|d=587|d=1.2.3.4
To allow Webmin access:
# Webmin Access
tcp|in|d=10000|s=1.2.3.4 # Allow from your management IP or CIDR
To allow a range of ports to and from a remote host:
tcp|in|d=10000_10010|s=1.2.3.4
tcp|out|d=10001_10010|d=1.2.3.4
:!: Restart CSF with ''csf -ra''.
===== Backup and Restore CSF =====
==== Web Interface ====
There is a backup and restore function of the web interface under **Firewall Profiles**.
:!: Backups are stored in ''/var/lib/csf/backup/''.
==== CLI ====
http://www.host-stage.net/client-area/knowledgebase/53/How-To-Backup-or-Restore-or-Export-your-CSF-Firewall-Configuration.html
cd /etc/csf/
tar cvfz csfbackup.tgz csf.conf csf.allow csf.dyndns csf.deny csf.*ignore csf.blocklists
:!: Copy the ''csfbackup.tgz'' file to the new server and move it into ''/etc/csf/'' before extracting.
cd /etc/csf/ && tar -xzvf csfbackup.tgz
:!: You may need to manually deal with ''/usr/local/csf/bin/regex.custom.pm'' if you have customized LFD.
===== Logging =====
CSF logs to syslog (''/var/log/messages'' or ''/var/log/syslog'').
LFD generally logs to ''/var/log/lfd.log'' but can optionally log to syslog as well.
==== Log Pollution ====
DROP_NOLOG = 67,68,111,113,135:139,445,500,513,520,5678
These ports are specifically blocked from being logged either to conserve hard drive space or make the log file easier to read. Here we add port 5678 (router neighbor discovery).
==== Log to Separate File ====
:!: If you do this, be sure to change ''IPTABLES_LOG'' in ''csf.conf''.
You may find a busy server ''syslog'' gets polluted by ''iptables'' firewall lines. This will separate the ''iptables'' stuff into a separate log file.
=== CentOS/Redhat ===
== /etc/rsyslog.d/iptables.conf ===
# Log CSF iptables to a separate file & discard it from all subsequent rules:
:msg, startswith, "Firewall: " -/var/log/iptables.log
& stop
Restart the ''rsyslog'' service:
systemctl restart rsyslog.service
== /etc/logrotate.d/iptables ===
/var/log/iptables.log
{
rotate 7
daily
missingok
notifempty
delaycompress
compress
create 0600 root root
postrotate
systemctl restart rsyslog.service ; sleep 5
endscript
}
=== Ubuntu/Debian ===
On **Ubuntu** systems, the log line begins with a **timestamp** that looks something like ''[306786.268889]'' which is harder to match so we use ''contains'' instead of ''startswith''.
== /etc/rsyslog.d/15-iptables.conf ==
# Log CSF iptables to a separate file & discard it from all subsequent rules:
:msg, contains, "Firewall: " -/var/log/iptables.log
& stop
== /etc/logrotate.d/iptables ==
/var/log/iptables.log
{
rotate 7
daily
missingok
notifempty
delaycompress
compress
create 0640 syslog adm
postrotate
systemctl restart rsyslog.service ; sleep 5
endscript
}
==== Restart ''rsyslog'' Service ====
systemctl restart rsyslog.service
==== Force Log Rotation ====
/usr/sbin/logrotate -f /etc/logrotate.conf
===== Blocklists =====
**Research**: http://forum.configserver.com/viewtopic.php?t=7719
Edit ''csf.blocklists'' (self documnented) and **un-comment at least the CIDR lists**:
* SPAMDROP
* SPAMEDROP
* DSHIELD
As long as you install ''ipset'' and have enabled ''LF_IPSET'', and you have the CPU and memory resources, you can probably enable as many blocklists as you want.
While the CIDR lists above will cover about 92%, you may also consider these other lists, if you have resources to spare (CPU, memory):
* BOGON (includes private IP ranges - use outside the firewall)
* HONEYPOT
* BFB
* OPENBL
* MAXMIND
* CIARMY
* AUTOSHUN
===== Dynamic DNS =====
Edit ''csf.dyndns'' and add the dynamic DNS host names (FQDNs) you want to permit through the firewall.
===== Temporary Bans =====
:!: The default ''DENY_TEMP_IP_LIMIT'' settling is ''1000''. It is often necessary to increase this limit, assuming you have the resources.
Temporary bans do **not** take advantage of ''ipset''. **If the number of bans is very high, it can take a long time to restart CSF** and will use more CPU and RAM.
The temporary bans are kept in a file: ''/var/lib/csf/csf.tempban''
===== Troubleshooting =====
==== Hanging ====
Try flushing all the temporary and/or permanent blocks:
csf -tf && csf -df && csf -ra
==== Watch Mode ====
WATCH_MODE = "0"
If you are ever stuck trying to troubleshoot a problem, you might consider turning this option on. You can use it to track the actions to watched IP addresses to see where they are getting blocked or accepted.
==== Pull IP Address List from Log ====
https://www.iplocation.net/
You may want to check the results to see where they are from, then decide which to block permanently in ''csf.deny''.
grep "SASL LOGIN authentication failed" /var/log/mail.log |grep -Eo "unknown\[([0-9]{1,3}[\.]){3}[0-9]{1,3}" |grep -Eo "([0-9]{1,3}[\.]){3}[0-9]{1,3}" |sort |uniq
Use this command to look for attempts at a particular domain:
grep "auth failed" /var/log/mail.log |grep somedomain |grep -Eo "rip=([0-9]{1,3}[\.]){3}[0-9]{1,3}" |grep -Eo "([0-9]{1,3}[\.]){3}[0-9]{1,3}" |sort |uniq
===== Notes =====
Results of install script on a Virtualmin server:
TCP ports currently listening for incoming connections:
22,25,53,110,143,587,993,995,3306,10000,20000
UDP ports currently listening for incoming connections:
53,123,10000,20000
IPv6 TCP ports currently listening for incoming connections:
21,22,25,53,80,110,143,443,587,993,995
IPv6 UDP ports currently listening for incoming connections:
53,123
Note: The port details above are for information only, csf hasn't been auto-configured.
Don't forget to:
1. Configure the following options in the CSF configuration to suite your server: TCP_*, UDP_*, IPV6, TCP6_*, UDP6_*
2. Restart ''csf'' and ''lfd''
3. Set ''TESTING'' to ''0'' once you're happy with the firewall, ''lfd'' will not run until you do so
Adding current SSH session IP address to the csf whitelist in csf.allow:
Adding 192.168.0.69 to csf.allow only while in TESTING mode (not iptables ACCEPT)
*WARNING* TESTING mode is enabled - do not forget to disable it in the configuration
`/etc/csf/csfwebmin.tgz' -> `/usr/local/csf/csfwebmin.tgz'
Installation Completed
====== LFD - Login Failure Daemon ======
**Custom RegEx**: https://forum.configserver.com/viewtopic.php?t=7517
LFD does more than just monitor log files for login failures.
LFD, in some opinions, is the best reason to implement the CSF firewall!
:!: After a fresh install of CSF+LFD, you will probably get __many__ e-mail warning messages sent to ''root'' by LFD's process and suspicious file tracking mechanisms. You will probably want to deal with these issues to make the tracking mechanisms truly useful, but you can just turn them off.
:!: Make sure you have ''root'' mail routed to a real user! If you don't you could fill up the disk with unread e-mail messages.
See also: **[[computing:linux:root_mail|Route Administrative Mail to a Real Administrator]]**
You will need to make adjustments to the LFD configuration to make the e-mail notices truly useful...and they are!.
:!: After modifying an 'ignore' file, restart LFD:
service lfd restart
===== Postfix =====
**Virtualmin SMTP**: https://www.virtualmin.com/comment/737419#comment-737419
:!: The Postfix MTA is not directly supported by LFD. You must use custom settings. FIXME Is this still true?
==== CentOS ====
http://forum.configserver.com/viewtopic.php?f=6&t=6968
Add a custom RegEx to detect SMTP authentication failures:
vim /usr/local/csf/bin/regex.custom.pm
Insert:
# Postfix
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/smtpd\[\d+\]: warning:.*\[(\d+\.\d+\.\d+\.\d+)\]: SASL [A-Z]*? authentication failed/)) {
return ("Failed SASL login from",$1,"mysaslmatch","3","25","600");
}
Now, edit the CSF configuration to tell it to monitor the proper log file for the new RegEx:
vim /etc/csf/csf.conf
Change:
CUSTOM1_LOG = "/var/log/maillog"
==== Ubuntu ====
https://forum.configserver.com/viewtopic.php?f=6&t=7517&p=29227&hilit=postfix#p29227
CUSTOM1_LOG = "/var/log/mail.log"
# Postfix
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (postfix\/smtpd|postfix\/smtps\/smtpd)\[[[:digit:]]+\]: warning: [-._[:alnum:]]+\[([.[:digit:]]+)\]: SASL (LOGIN|PLAIN|(DIGEST|CRAM)-MD5|APOP) authentication failed.*/)) {
return ("Failed SMTP AUTH from",$1,"csmtpautherr","5","25,587","3600");
}
==== Zimbra ====
FIXME needs verification
/var/log/maillog
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ .* postfix\/s.*\/smtpd\[\d+\]: warning: .*\[(\d+\.\d+\.\d+\.\d+)\]: SASL (LOGIN|PLAIN|login) authentication failed:/)) {
return ("Failed SASL login from",$1,"mysaslmatch","5","25,587","3600");
}
==== Track the Culprit ====
^ OS ^ Log File ^
|CentOS/Redhat |/var/log/secure |
|Ubuntu/Debian |/var/log/auth.log |
|Zimbra |/opt/zimbra/log/audit.log |
Copy the date and time from the e-mail message from LFD and use a command like this to see which user is failing to log in:
grep "Nov 13 13:20" /var/log/secure
===== ProFTPd =====
**Virtualmin ProFTPd**: https://www.virtualmin.com/comment/737419#comment-737419
vim /etc/csf/csf.conf
==== CentOS ====
FTPD_LOG = "/var/log/secure"
==== Ubuntu ====
FTPD_LOG = "/var/log/proftpd/proftpd.log"
FIXME Testing...
LFD is not detecting logged problems...
vim /usr/local/csf/bin/regex.custom.pm
# ProFTPd
if (($lgfile eq $config{FTPD_LOG}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ \S+ proftpd\[\d+\]:? \S+ \([^\[]+\[(\S+)\]\)( -)?:? USER (\S*): no such user found from/)) {
return ("Failed FTP AUTH from",$2,"cftpautherr","5","20,21","3600");
}
===== Dovecot =====
==== Ubuntu ====
FTPD_LOG = "/var/log/proftpd/proftpd.log"
CUSTOM1_LOG = "/var/log/mail.log"
# Postfix SASL Auth
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (postfix\/smtpd|postfix\/smtps\/smtpd)\[[[:digit:]]+\]: warning: [-._[:alnum:]]+\[([.[:digit:]]+)\]: SASL (LOGIN|PLAIN|(DIGEST|CRAM)-MD5|APOP) authentication failed.*/)) {
return ("Failed SMTP AUTH from",$1,"csmtpautherr","5","25,465,587","3600");
}
# ProFTPd
if (($lgfile eq $config{FTPD_LOG}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ \S+ proftpd\[\d+\]:? \S+ \([^\[]+\[(\S+)\]\)( -)?:? USER (\S*): no such user found from/)) {
return ("Failed FTP AUTH from",$2,"cftpautherr","5","20,21","3600");
}
# Dovecot
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: .* \(auth failed.* rip=([.[:digit:]]+).*/)) {
return ("Failed Dovecot AUTH from",$1,"cimapautherr","5","110,143,993,995","3600");
}
===== Process Tracking =====
http://forum.configserver.com/viewtopic.php?f=6&t=2059
The process tracking facility of LFD monitors the various processes running on your server watching for odd behavior. Ever had a web site abused to run rougue PHP processes? LFD will let you know when it happens.
Here is a ''/etc/csf/csf.pignore'' file that has been (mostly) adjusted to ignore the normal processes running on a **Virtualmin** hosting server with a base **CentOS 6.6** operating system:
###############################################################################
# Copyright 2006-2014, Way to the Web Limited
# URL: http://www.configserver.com
# Email: sales@waytotheweb.com
###############################################################################
# The following is a list of executables (exe) command lines (cmd) and
# usernames (user) that lfd process tracking will ignore.
#
# You must use the following format:
#
# exe:/full/path/to/file
# user:username
# cmd:command line
#
# Or, perl regular expression matching (regex):
#
# pexe:/full/path/to/file as a perl regex[*]
# puser:username as a perl regex[*]
# pcmd:command line as a perl regex[*]
#
# [*]You must remember to escape characters correctly when using regex's, e.g.:
# pexe:/home/.*/public_html/cgi-bin/script\.cgi
# puser:bob\d.*
# pcmd:/home/.*/command\s\to\smatch\s\.pl\s.*
#
# It is strongly recommended that you use command line ignores very carefully
# as any process can change what is reported to the OS.
#
# For more information see readme.txt
exe:/usr/bin/php-cgi
exe:/usr/sbin/clamd
exe:/usr/sbin/dkim-filter
exe:/usr/sbin/httpd
exe:/usr/sbin/named
exe:/usr/sbin/ntpd
exe:/usr/sbin/proftpd
exe:/usr/sbin/sshd
exe:/usr/sbin/zabbix_agentd
exe:/usr/libexec/mysqld
exe:/usr/libexec/dovecot/anvil
exe:/usr/libexec/dovecot/auth
exe:/usr/libexec/dovecot/imap
exe:/usr/libexec/dovecot/imap-login
exe:/usr/libexec/dovecot/pop3
exe:/usr/libexec/dovecot/pop3-login
exe:/usr/libexec/postfix/anvil
exe:/usr/libexec/postfix/cleanup
exe:/usr/libexec/postfix/local
exe:/usr/libexec/postfix/pickup
exe:/usr/libexec/postfix/qmgr
exe:/usr/libexec/postfix/smtpd
exe:/usr/libexec/postfix/smtp
exe:/usr/libexec/postfix/tlsmgr
exe:/usr/libexec/postfix/trivial-rewrite
exe:/usr/libexec/postfix/virtual
exe:/usr/libexec/postfix/proxymap
exe:/usr/libexec/postfix/lmtp
exe:/usr/libexec/postfix/scache
exe:/usr/libexec/postfix/master
pcmd:/usr/bin/python /usr/lib/mailman/bin/qrunner.*
pcmd:/usr/bin/python /usr/lib/mailman/bin/mailmanctl.*
pcmd:webalizer -c /etc/webmin/webalizer/var_log_virtualmin_.*
pcmd:/usr/bin/php -q /home/.*/public_html/client/crons/domainsync.php
pcmd:/usr/bin/php -q /home/.*/public_html/client/admin/cron.php
pcmd:/usr/bin/php -q /home/.*/public_html/client/pipe/pop.php
cmd:/usr/sbin/postgrey -d --unix=/var/spool/postfix/postgrey/socket
cmd:/usr/libexec/usermin/mailbox/index.cgi
cmd:/usr/bin/freshclam --quiet --datadir=/var/lib/clamav --log=/var/log/clamav/freshclam.log
cmd:spamd child
cmd:/usr/libexec/webmin/virtual-server/backup.pl
cmd:/usr/bin/python -S /usr/lib/mailman/cron/gate_news
Here is a (work in progress) ''csf.pignore'' file for a Zimbra (monolithic) mail server:
###############################################################################
# Copyright 2006-2014, Way to the Web Limited
# URL: http://www.configserver.com
# Email: sales@waytotheweb.com
###############################################################################
# The following is a list of executables (exe) command lines (cmd) and
# usernames (user) that lfd process tracking will ignore.
#
# You must use the following format:
#
# exe:/full/path/to/file
# user:username
# cmd:command line
#
# Or, perl regular expression matching (regex):
#
# pexe:/full/path/to/file as a perl regex[*]
# puser:username as a perl regex[*]
# pcmd:command line as a perl regex[*]
#
# [*]You must remember to escape characters correctly when using regex's, e.g.:
# pexe:/home/.*/public_html/cgi-bin/script\.cgi
# puser:bob\d.*
# pcmd:/home/.*/command\s\to\smatch\s\.pl\s.*
#
# It is strongly recommended that you use command line ignores very carefully
# as any process can change what is reported to the OS.
#
# For more information see readme.txt
exe:/usr/lib/courier-imap/bin/pop3d
exe:/usr/lib/courier-imap/bin/imapd
exe:/usr/sbin/pure-ftpd
exe:/usr/local/apache/bin/httpd
exe:/usr/sbin/sshd
exe:/usr/sbin/proftpd
exe:/usr/libexec/dovecot/imap
exe:/usr/libexec/dovecot/pop3
exe:/usr/sbin/named
exe:/usr/sbin/ntpd
exe:/bin/dbus-daemon
exe:/usr/sbin/ntpd
exe:/usr/sbin/exim4
exe:/sbin/ntpd
exe:/usr/libexec/dovecot/pop3
exe:/usr/libexec/dovecot/imap
exe:/usr/local/libexec/dovecot/pop3
exe:/usr/local/libexec/dovecot/pop3-login
exe:/usr/local/libexec/dovecot/imap
exe:/usr/local/libexec/dovecot/imap-login
exe:/usr/sbin/rpcbind
exe:/usr/sbin/rpc.statd
exe:/usr/sbin/chronyd
exe:/usr/bin/lsmd
exe:/usr/bin/dbus-daemon
cmd:/usr/bin/vmstat -n -S K 30
cmd:/bin/bash /opt/zimbra/bin/zmconfigdctl start norewrite
cmd:/bin/bash /opt/zimbra/bin/zmopendkimctl status norewrite
cmd:/usr/bin/perl /opt/zimbra/libexec/zmlogger
cmd:zmlogger: zmrrdfetch: server
cmd:/opt/zimbra/java/bin/java -version
cmd:/usr/bin/perl /opt/zimbra/libexec/zmlogprocess
cmd:/usr/bin/perl /opt/zimbra/bin/zmcontrol status
cmd:/usr/bin/perl /opt/zimbra/libexec/zmstatuslog
cmd:/usr/bin/perl -T /opt/zimbra/amavisd/sbin/amavisd -X no_conf_file_writable_check -c /opt/zimbra conf/amavisd.conf
cmd:/usr/bin/python -S /usr/lib/mailman/cron/gate_news
pcmd:sh -c /opt/zimbra/bin/zmantivirusctl.*
pcmd:/bin/bash /opt/zimbra/bin/zmantivirusctl.*
pcmd:/usr/bin/perl -T -w /opt/zimbra/libexec/sa-learn.*
pcmd:/bin/bash /opt/zimbra/bin/zmjava.*
pcmd:/usr/bin/perl /opt/zimbra/libexec/zmdailyreport.*
pcmd:/bin/bash -c /opt/zimbra/libexec/zmlogprocess.*
pcmd:/usr/bin/iostat -d -k.*
pcmd:/usr/bin/perl -w /opt/zimbra/libexec/zmstat-.*
pcmd:/opt/zimbra/libexec/logswatch --config-file=/opt/zimbra.*
pcmd:/bin/sh /opt/zimbra/mariadb/bin/mysqld_safe --defaults-file=/opt.*
pcmd:/opt/zimbra/java/bin/java -client -Xmx256m -Djava.net.preferIPv4Stack=true.*
pcmd:/opt/zimbra/java/bin/java -client -Xmx256m -Dzimbra.home=/opt/zimbra.*
pcmd:/opt/zimbra/java/bin/java -Dfile.encoding=UTF-8 -server -Djava.awt.headless=true.*
pcmd:/opt/zimbra/java/bin/java -client -cp /opt/zimbra/lib/jars.*
pcmd:/opt/zimbra/amavisd/sbin/amavisd.*
pcmd:/usr/bin/perl -T /opt/zimbra/amavisd/sbin/amavis-.*
pcmd:/usr/bin/perl /opt/zimbra/libexec/swatch --config-file=/opt/zimbra/conf/swatchrc.*
pcmd:/usr/bin/perl /opt/zimbra/data/tmp/.swatch_script.*
pcmd:/bin/bash /opt/zimbra/bin/zmconfigdctl .*
pcmd:/bin/bash -c /opt/zimbra/libexec/zmstatuslog .*
pexe:/opt/zimbra/postfix-.*/libexec/anvil
pexe:/opt/zimbra/mariadb-.*/bin/mysqld
pexe:/opt/zimbra/postfix-.*/libexec/lmtp
pexe:/opt/zimbra/postfix-.*/libexec/smtpd
pexe:/opt/zimbra/postfix-.*/libexec/proxymap
pexe:/opt/zimbra/postfix-.*/libexec/qmgr
pexe:/opt/zimbra/postfix-.*/libexec/tlsmgr
pexe:/opt/zimbra/httpd-.*/bin/rotatelogs
pexe:/opt/zimbra/httpd-.*/bin/httpd
pexe:/opt/zimbra/cyrus-sasl-.*/sbin/saslauthd
pexe:/opt/zimbra/postfix-.*/libexec/pickup
pexe:/opt/zimbra/postfix-.*/libexec/showq
pexe:/opt/zimbra/unbound-.*/sbin/unbound
pexe:/opt/zimbra/memcached-.*/bin/memcached
pexe:/opt/zimbra/clamav-.*/sbin/clamd
pexe:/opt/zimbra/clamav-.*/bin/freshclam
pexe:/opt/zimbra/openldap-.*/sbin/slapd
pexe:/opt/zimbra/nginx-.*/sbin/nginx
pexe:/opt/zimbra/opendkim-.*/sbin/opendkim
pexe:/opt/zimbra/postfix-.*/libexec/bounce
pexe:/opt/zimbra/postfix-.*/libexec/trivial-rewrite
pexe:/opt/zimbra/postfix-.*/libexec/cleanup
pexe:/opt/zimbra/postfix-.*/libexec/smtp
==== Suspicious File Tracking ====
Edit the ''/etc/csf/csf.fignore'' file to ignore valid files and directories:
vim /etc/csf/csf.fignore
/tmp/\.horde
/tmp/\.horde/.*
/tmp/\.spamassassin.*tmp
/tmp/\.webmin/.*_backup.pl
==== Alerts ====
https://www.namecheap.com/support/knowledgebase/article.aspx/10093/30/csflfd-security-notifications
https://www.knownhost.com/wiki/security/csf-lfd/notifications
* ''LF_EMAIL_ALERT'' - sends an email alert if an IP address is blocked by one of the triggers.
* ''LF_PERMBLOCK_ALERT'' - sends an email alert if an IP address is permanently blocked. This happens if the IP address has been temporarily blocked more than a few times (to configure, use ''LF_PERMBLOCK_COUNT'').
* ''LF_NETBLOCK_ALERT'' - sends an email alert if an IP network class was blocked (conditions of such blocks can be configured by editing the adjacent parameters).
* ''LF_DISTFTP_ALERT'' - sends an email alert if ''LF_DISTFTP'' is triggered. The ''LF_DISTFTP'' option will keep track of all successful FTP logins. It blocks all the IPs that are suspected in being involved into an FTP distributed attack. You can configure it by editing the parameters in the Distributed Attacks section.
* ''LF_DISTSMTP_ALERT'' - sends an email alert if ''LF_DISTSMTP'' is triggered. The same scenario applies as above, but for SMTP.
* ''LT_EMAIL_ALERT'' - sends an email alert if the account exceeds a certain number of hourly logins per IP address.
* ''CT_EMAIL_ALERT'' - sends an email alert if an IP address is blocked due to connectivity tracking.