User Tools

Site Tools


networking:firewall:csf

ConfigServer Security & Firewall (CSF)

Prerequisites

Ubuntu

Without Virtualmin

echo -e "\n# Webmin\ndeb http://download.webmin.com/download/repository sarge contrib\ndeb http://webmin.mirror.somersettechsolutions.co.uk/repository sarge contrib" >> /etc/apt/sources.list
wget -q http://www.webmin.com/jcameron-key.asc -O- | sudo apt-key add -
add-apt-repository universe && apt update
apt install webmin ssmtp unzip ipset libwww-perl liblist-compare-perl \
liblwp-protocol-https-perl libio-socket-ssl-perl libcrypt-ssleay-perl \
libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl libgd-graph-perl

Virtualmin Already Installed

sudo apt-get install unzip ipset libwww-perl liblist-compare-perl liblwp-protocol-https-perl \
libio-socket-ssl-perl libcrypt-ssleay-perl libnet-libidn-perl libio-socket-inet6-perl \
libsocket6-perl libgd-graph-perl

CentOS 7

echo -e "[Webmin]\nname=Webmin Distribution Neutral\nbaseurl=http://download.webmin.com/download/yum\nenabled=1" > /etc/yum.repos.d/webmin.repo
rpm --import http://www.webmin.com/jcameron-key.asc
yum install webmin ipset net-tools perl-IO-Socket-SSL.noarch perl-Net-SSLeay perl-Net-LibIDN perl-LWP-Protocol-https perl-IO-Socket-INET6 perl-Socket6

Installation

Prep Default Firewall

You may want to open a few holes in the default firewall just in case it ever gets turned back on.

Ubuntu

systemctl status ufw.service
ufw status verbose
ufw allow 10000/tcp  #Webmin

CentOS

systemctl status firewalld.service
firewall-cmd --permanent --add-port=10000/tcp

Install CSF

http://www.maxwhale.com/how-to-install-csf-on-webmin/

http://www.ask-gabe.com/server-admin/how-to-install-csf-config-server-firewall-with-webmin-support/

:!: Upon installation, CSF automatically opens ports for network services that are currently running.

:!: Upon installation, CSF starts in Testing Mode. You must take it out of Testing Mode after revising the configuration.

:!: Upon installation, check the OS Specific Settings and verify that your OS was detected properly and that the Log file locations are correct.

rm -fv csf.tgz
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

Log Restrictions

:!: Do not enable the log restriction feature of CSF when using Virtualmin, at least not without serious research and testing. RESTRICT_SYSLOG = 0

:!: If using RESTRICT_SYSLOG = 3, you must create and add any important users (running services) to the mysyslog group:

ps -aux
groupadd mysyslog         # if the group doesn't already exist
usermod -G mysyslog root
# syslog daemon messagebus systemd-network systemd-resolve
# clamav www-data, proftpd, postfix, mysql, dovecot, opendkim, postgrey, zimbra, lool
grep mysyslog /etc/group

Install the CSF Webmin Module

Webmin → Webmin Configuration → Webmin Modules → From local file → /etc/csf/csfwebmin.tgz → Install Module

Ubuntu Startup

If you have another firewall configured, stop it and make sure it doesn't auto-start or just remove it.

Disable the the existing firewall; enable and start CSF and LFD:

ufw disable
systemctl disable firewalld.service && systemctl stop firewalld.service
systemctl disable fail2ban.service && systemctl stop fail2ban.service
csf -e && lfd -e
csf -s && lfd -s

The CSF install script will enable CSF to auto-start.

CentOS Startup

Disable and stop iptables and firewalld:

service iptables stop && chkconfig iptables off
service ip6tables stop && chkconfig ip6tables off
systemctl stop firewalld && systemctl disable firewalld

Enable and start CSF and LFD:

chkconfig csf on
csf -e && lfd -e
csf -s && lfd -s

Verify Functionality

perl /usr/local/csf/bin/csftest.pl

SSH Login Tracking

vim /etc/csf/csf.ignore

Disable repeated message reduction in rsyslog to more accurately count login failures:

grep -r Repeat /etc/rsyslog.*

sudo sed -i 's/RepeatedMsgReduction\ on/RepeatedMsgReduction\ off/' /etc/rsyslog.conf
sudo service rsyslog restart
sudo csf -ra

Basic Command Line

http://www.linuxbrigade.com/learn-the-csf-command-line-options/

http://www.hostdime.com/resources/csf-ssh-command-line-commands/

csf will list all commands
csf -l shows CSF status
csf -d IPADDRESS will deny an IP
csf -a IPADDRESS will allow an IP
csf -r will reload all rules
csf -ra will restart CSF and LFD
csf -f will flush/unload all rules - LFD may restart CSF
csf -u Update CSF
csf -e Starts the CSF service
service csf restart will restart the CSF service
service lfd restart will restart the LFD service
csf -x will stop and disable CSF and LFD

Configuration

Configure Webmin

Webmin → Webmin Configuration → Webmin Modules → From local file > /etc/csf/csfwebmin.tgz > Install Module

:!: Settings shown are for Virtualmin hosting server.

http://www.woktron.com/secure/knowledgebase/77/Installation-CSF-Firewall-on-CentOS-5-and-6.html

https://www.digitalocean.com/community/articles/how-to-install-and-configure-config-server-firewall-csf-on-ubuntu

Webmin → System → ConfigServer Security & Firewall

Sample Firewall Configuration

Setting Value
Testing 0
IPV6 1
TCP_IN 20,21,22,25,53,80,110,143,443,465,587,993,995,2222,10000,20000
TCP_OUT 20,21,22,25,53,80,110,113,443,2222
UDP_IN 20,21,53
UDP_OUT 20,21,53,113,123,33434:33523
TCP6_IN 20,21,22,25,53,80,110,143,443,465,587,993,995,2222,10000,20000
TCP6_OUT 20,21,22,25,53,80,110,113,443,2222
UDP6_IN 20,21,53
UDP6_OUT 20,21,53,113,123,33434:33523
USE_CONNTRACK 1
SYSLOG_CHECK 600
DENY_IP_LIMIT 1000
DENY_TEMP_IP_LIMIT 1000
LF_IPSET 1
SYNFLOOD 1
CONNLIMIT 22;10,80;30,110;5,143;5,443;30,465;5,587;5,993;5,995;5,2222;10,10000;30
PORTFLOOD 22;tcp;15;300,80;tcp;20;5,110;tcp;20;5,143;tcp;20;5,443;tcp;20;5,465;tcp;20;5,587;tcp;20;5,993;tcp;20;5,995;tcp;20;5,2222;tcp;15;300,10000;tcp;30;5
DROP_OUT_LOGGING 1
CONNLIMIT_LOGGING 1
LF_PERMBLOCK_COUNT 2
LF_NETBLOCK 1
SAFECHAINUPDATE 1
DYNDNS 600
URLGET 2
LF_SELECT 1 :?: If your server doesn't offer the following, why bother?
LF_SSHD 5
LF_SSHD_PERM 600
LF_FTPD 10
LF_FTPD_PERM 600
LF_SMTPAUTH 10
LF_SMTPAUTH_PERM 600
LF_POP3D 10
LF_POP3D_PERM 600
LF_IMAPD 10
LF_IMAPD_PERM 600
LF_HTACCESS 5
LF_HTACCESS_PERM 600
LF_MODSEC 5
LF_MODSEC_PERM 600
LF_BIND 100
LF_BIND_PERM 600
LF_SUHOSIN 5
LF_SUHOSIN_PERM 600
LF_CXS 1
LF_WEBMIN 10
LF_WEBMIN_PERM 600
LF_APACHE_404 100
LF_APACHE_403 100
LF_DISTATTACK 1
LF_DISTFTP 5
LF_DISTSMTP 5
LT_POP3D 60
LT_IMAPD 100
LT_SKIPPERMBLOCK 1
CT_LIMIT 300

Sample Allow Entries

  • s is for source, d is for destination (ports or addresses).
  • in (incoming) or out (outgoing) is allowed.
  • tcp, udp or icmp are the protocol choices.
  • If you just place an IP address on the line, all traffic will be allowed to and from that IP.
  • CIDR address blocks are also allowed.

Edit /etc/csf/csf.allow:

vim /etc/csf/csf.allow

To allow access to port 25 from a particular IP address, add a line like:

tcp|in|d=25|s=1.2.3.4

To allow outbound mail to port 587 to a particular mail server IP address, add a line like:

tcp|out|d=587|d=1.2.3.4

To allow a range of ports to and from a remote host:

tcp|in|d=10000_10010|s=1.2.3.4
tcp|out|d=10001_10010|d=1.2.3.4

:!: Restart CSF with csf -ra.

Backup and Restore CSF

Web Interface

There is a backup and restore function of the web interface under Firewall Profiles.

:!: Backups are stored in /var/lib/csf/backup/.

CLI

http://www.host-stage.net/client-area/knowledgebase/53/How-To-Backup-or-Restore-or-Export-your-CSF-Firewall-Configuration.html

cd /etc/csf/
tar cvfz csfbackup.tgz csf.conf csf.allow csf.deny csf.*ignore csf.blocklists

:!: You may need to manually deal with /usr/local/csf/bin/regex.custom.pm if you have customized LFD.

Logging

CSF logs to syslog (/var/log/messages or /var/log/syslog).

LFD generally logs to /var/log/lfd.log but can optionally log to syslog as well.

Log Pollution

DROP_NOLOG = 67,68,111,113,135:139,445,500,513,520,5678

These ports are specifically blocked from being logged either to conserve hard drive space or make the log file easier to read. Here we add port 5678 (router neighbor discovery).

Log to Separate File

:!: If you do this, be sure to change IPTABLES_LOG in csf.conf.

You may find a busy server syslog gets polluted by iptables firewall lines. This will separate the iptables stuff into a separate log file.

CentOS/Redhat

/etc/rsyslog.d/iptables.conf
# Log CSF iptables to a separate file & discard it from all subsequent rules:
:msg, startswith, "Firewall: " -/var/log/iptables.log
& stop

Restart the rsyslog service:

systemctl restart rsyslog.service
/etc/logrotate.d/iptables
/var/log/iptables.log
{
        rotate 7
        daily
        missingok
        notifempty
        delaycompress
        compress
        create 0600 root root
        postrotate
                systemctl restart rsyslog.service ; sleep 5
        endscript
}

Ubuntu/Debian

On Ubuntu systems, the log line begins with a timestamp that looks something like [306786.268889] which is harder to match so we use contains instead of startswith.

/etc/rsyslog.d/15-iptables.conf
# Log CSF iptables to a separate file & discard it from all subsequent rules:
:msg, contains, "Firewall: " -/var/log/iptables.log
& stop
/etc/logrotate.d/iptables
/var/log/iptables.log
{
        rotate 7
        daily
        missingok
        notifempty
        delaycompress
        compress
        create 0640 syslog adm
        postrotate
                systemctl restart rsyslog.service ; sleep 5
        endscript
}

Restart ''rsyslog'' Service

systemctl restart rsyslog.service

Force Log Rotation

/usr/sbin/logrotate -f /etc/logrotate.conf

Blocklists

Research: http://forum.configserver.com/viewtopic.php?t=7719

Edit csf.blocklists (self documnented) and un-comment at least the CIDR lists:

  • SPAMDROP
  • SPAMEDROP
  • DSHIELD
As long as you install ipset and have enabled LF_IPSET, and you have the CPU and memory resources, you can probably enable as many blocklists as you want.

While the CIDR lists above will cover about 92%, you may also consider these other lists, if you have resources to spare (CPU, memory):

  • BOGON (includes private IP ranges - use outside the firewall)
  • HONEYPOT
  • BFB
  • OPENBL
  • MAXMIND
  • CIARMY
  • AUTOSHUN

Dynamic DNS

Edit csf.dyndns and add the dynamic DNS host names (FQDNs) you want to permit through the firewall.

Temporary Bans

:!: The default DENY_TEMP_IP_LIMIT settling is 1000. It is often necessary to increase this limit, assuming you have the resources.

Temporary bans do not take advantage of ipset. If the number of bans is very high, it can take a long time to restart CSF and will use more CPU and RAM.

The temporary bans are kept in a file: /var/lib/csf/csf.tempban

Troubleshooting

Hanging

Try flushing all the temporary and/or permanent blocks:

csf -tf && csf -df && csf -ra

Watch Mode

WATCH_MODE = "0"

If you are ever stuck trying to troubleshoot a problem, you might consider turning this option on. You can use it to track the actions to watched IP addresses to see where they are getting blocked or accepted.

Pull IP Address List from Log

https://www.iplocation.net/

You may want to check the results to see where they are from, then decide which to block permanently in csf.deny.

grep "SASL LOGIN authentication failed" /var/log/mail.log |grep -Eo "unknown\[([0-9]{1,3}[\.]){3}[0-9]{1,3}" |grep -Eo "([0-9]{1,3}[\.]){3}[0-9]{1,3}" |sort |uniq

Use this command to look for attempts at a particular domain:

grep "auth failed" /var/log/mail.log |grep somedomain |grep -Eo "rip=([0-9]{1,3}[\.]){3}[0-9]{1,3}" |grep -Eo "([0-9]{1,3}[\.]){3}[0-9]{1,3}" |sort |uniq

Notes

Results of install script on a Virtualmin server:

TCP ports currently listening for incoming connections:
22,25,53,110,143,587,993,995,3306,10000,20000

UDP ports currently listening for incoming connections:
53,123,10000,20000

IPv6 TCP ports currently listening for incoming connections:
21,22,25,53,80,110,143,443,587,993,995

IPv6 UDP ports currently listening for incoming connections:
53,123

Note: The port details above are for information only, csf hasn't been auto-configured.

Don't forget to:
1. Configure the following options in the CSF configuration to suite your server: TCP_*, UDP_*, IPV6, TCP6_*, UDP6_*
2. Restart ''csf'' and ''lfd''
3. Set ''TESTING'' to ''0'' once you're happy with the firewall, ''lfd'' will not run until you do so

Adding current SSH session IP address to the csf whitelist in csf.allow:
Adding 192.168.0.69 to csf.allow only while in TESTING mode (not iptables ACCEPT)
*WARNING* TESTING mode is enabled - do not forget to disable it in the configuration
`/etc/csf/csfwebmin.tgz' -> `/usr/local/csf/csfwebmin.tgz'

Installation Completed

LFD - Login Failure Daemon

LFD does more than just monitor log files for login failures.

LFD, in some opinions, is the best reason to implement the CSF firewall!

:!: After a fresh install of CSF+LFD, you will probably get many e-mail warning messages sent to root by LFD's process and suspicious file tracking mechanisms. You will probably want to deal with these issues to make the tracking mechanisms truly useful, but you can just turn them off.

:!: Make sure you have root mail routed to a real user! If you don't you could fill up the disk with unread e-mail messages.

See also: Route Administrative Mail to a Real Administrator

You will need to make adjustments to the LFD configuration to make the e-mail notices truly useful…and they are!.

:!: After modifying an 'ignore' file, restart LFD:

service lfd restart

Postfix

Virtualmin SMTP: https://www.virtualmin.com/comment/737419#comment-737419

:!: The Postfix MTA is not directly supported by LFD. You must use custom settings.

CentOS

http://forum.configserver.com/viewtopic.php?f=6&t=6968

Add a custom RegEx to detect SMTP authentication failures:

vim /usr/local/csf/bin/regex.custom.pm

Insert:

# Postfix
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/smtpd\[\d+\]: warning:.*\[(\d+\.\d+\.\d+\.\d+)\]: SASL [A-Z]*? authentication failed/)) {
return ("Failed SASL login from",$1,"mysaslmatch","3","25","600");
}

Now, edit the CSF configuration to tell it to monitor the proper log file for the new RegEx:

vim /etc/csf/csf.conf

Change:

CUSTOM1_LOG = "/var/log/maillog"

Ubuntu

https://forum.configserver.com/viewtopic.php?f=6&t=7517&p=29227&hilit=postfix#p29227

CUSTOM1_LOG = "/var/log/mail.log"
# Postfix
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (postfix\/smtpd|postfix\/smtps\/smtpd)\[[[:digit:]]+\]: warning: [-._[:alnum:]]+\[([.[:digit:]]+)\]: SASL (LOGIN|PLAIN|(DIGEST|CRAM)-MD5|APOP) authentication failed.*/)) {
    return ("Failed SMTP AUTH from",$1,"csmtpautherr","5","25,587","3600");
}

Zimbra

FIXME needs verification

/var/log/maillog
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ .* postfix\/s.*\/smtpd\[\d+\]: warning: .*\[(\d+\.\d+\.\d+\.\d+)\]: SASL (LOGIN|PLAIN|login) authentication failed:/)) {
return ("Failed SASL login from",$1,"mysaslmatch","5","25,587","3600");
}

Track the Culprit

OS Log File
CentOS/Redhat /var/log/secure
Ubuntu/Debian /var/log/auth.log
Zimbra /opt/zimbra/log/audit.log

Copy the date and time from the e-mail message from LFD and use a command like this to see which user is failing to log in:

grep "Nov 13 13:20" /var/log/secure

ProFTPd

Virtualmin ProFTPd: https://www.virtualmin.com/comment/737419#comment-737419

vim /etc/csf/csf.conf

CentOS

FTPD_LOG = "/var/log/secure"

Ubuntu

FTPD_LOG = "/var/log/proftpd/proftpd.log"

FIXME Testing…

LFD is not detecting logged problems…

vim /usr/local/csf/bin/regex.custom.pm
# ProFTPd
if (($lgfile eq $config{FTPD_LOG}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ \S+ proftpd\[\d+\]:? \S+ \([^\[]+\[(\S+)\]\)( -)?:? USER (\S*): no such user found from/)) {
    return ("Failed FTP AUTH from",$2,"cftpautherr","5","20,21","3600");
}

Dovecot

Ubuntu

FTPD_LOG = "/var/log/proftpd/proftpd.log"
CUSTOM1_LOG = "/var/log/mail.log"
# Postfix SASL Auth
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (postfix\/smtpd|postfix\/smtps\/smtpd)\[[[:digit:]]+\]: warning: [-._[:alnum:]]+\[([.[:digit:]]+)\]: SASL (LOGIN|PLAIN|(DIGEST|CRAM)-MD5|APOP) authentication failed.*/)) {
    return ("Failed SMTP AUTH from",$1,"csmtpautherr","5","25,465,587","3600");
}

# ProFTPd
if (($lgfile eq $config{FTPD_LOG}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ \S+ proftpd\[\d+\]:? \S+ \([^\[]+\[(\S+)\]\)( -)?:? USER (\S*): no such user found from/)) {
    return ("Failed FTP AUTH from",$2,"cftpautherr","5","20,21","3600");
}

# Dovecot
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: .* \(auth failed.* rip=([.[:digit:]]+).*/)) {
    return ("Failed Dovecot AUTH from",$1,"cimapautherr","5","110,143,993,995","3600");
}

Process Tracking

http://forum.configserver.com/viewtopic.php?f=6&t=2059

The process tracking facility of LFD monitors the various processes running on your server watching for odd behavior. Ever had a web site abused to run rougue PHP processes? LFD will let you know when it happens.

Here is a /etc/csf/csf.pignore file that has been (mostly) adjusted to ignore the normal processes running on a Virtualmin hosting server with a base CentOS 6.6 operating system:

###############################################################################
# Copyright 2006-2014, Way to the Web Limited
# URL: http://www.configserver.com
# Email: sales@waytotheweb.com
###############################################################################
# The following is a list of executables (exe) command lines (cmd) and
# usernames (user) that lfd process tracking will ignore.
#
# You must use the following format:
#
# exe:/full/path/to/file
# user:username
# cmd:command line
#
# Or, perl regular expression matching (regex):
#
# pexe:/full/path/to/file as a perl regex[*]
# puser:username as a perl regex[*]
# pcmd:command line as a perl regex[*]
#
# [*]You must remember to escape characters correctly when using regex's, e.g.:
# pexe:/home/.*/public_html/cgi-bin/script\.cgi
# puser:bob\d.*
# pcmd:/home/.*/command\s\to\smatch\s\.pl\s.*
#
# It is strongly recommended that you use command line ignores very carefully
# as any process can change what is reported to the OS.
#
# For more information see readme.txt

exe:/usr/bin/php-cgi
exe:/usr/sbin/clamd
exe:/usr/sbin/dkim-filter
exe:/usr/sbin/httpd
exe:/usr/sbin/named
exe:/usr/sbin/ntpd
exe:/usr/sbin/proftpd
exe:/usr/sbin/sshd
exe:/usr/sbin/zabbix_agentd
exe:/usr/libexec/mysqld
exe:/usr/libexec/dovecot/anvil
exe:/usr/libexec/dovecot/auth
exe:/usr/libexec/dovecot/imap
exe:/usr/libexec/dovecot/imap-login
exe:/usr/libexec/dovecot/pop3
exe:/usr/libexec/dovecot/pop3-login
exe:/usr/libexec/postfix/anvil
exe:/usr/libexec/postfix/cleanup
exe:/usr/libexec/postfix/local
exe:/usr/libexec/postfix/pickup
exe:/usr/libexec/postfix/qmgr
exe:/usr/libexec/postfix/smtpd
exe:/usr/libexec/postfix/smtp
exe:/usr/libexec/postfix/tlsmgr
exe:/usr/libexec/postfix/trivial-rewrite
exe:/usr/libexec/postfix/virtual
exe:/usr/libexec/postfix/proxymap
exe:/usr/libexec/postfix/lmtp
exe:/usr/libexec/postfix/scache
exe:/usr/libexec/postfix/master

pcmd:/usr/bin/python /usr/lib/mailman/bin/qrunner.*
pcmd:/usr/bin/python /usr/lib/mailman/bin/mailmanctl.*
pcmd:webalizer -c /etc/webmin/webalizer/var_log_virtualmin_.*
pcmd:/usr/bin/php -q /home/.*/public_html/client/crons/domainsync.php
pcmd:/usr/bin/php -q /home/.*/public_html/client/admin/cron.php
pcmd:/usr/bin/php -q /home/.*/public_html/client/pipe/pop.php

cmd:/usr/sbin/postgrey -d --unix=/var/spool/postfix/postgrey/socket
cmd:/usr/libexec/usermin/mailbox/index.cgi
cmd:/usr/bin/freshclam --quiet --datadir=/var/lib/clamav --log=/var/log/clamav/freshclam.log
cmd:spamd child
cmd:/usr/libexec/webmin/virtual-server/backup.pl
cmd:/usr/bin/python -S /usr/lib/mailman/cron/gate_news

Here is a (work in progress) csf.pignore file for a Zimbra (monolithic) mail server:

###############################################################################
# Copyright 2006-2014, Way to the Web Limited
# URL: http://www.configserver.com
# Email: sales@waytotheweb.com
###############################################################################
# The following is a list of executables (exe) command lines (cmd) and
# usernames (user) that lfd process tracking will ignore.
#
# You must use the following format:
#
# exe:/full/path/to/file
# user:username
# cmd:command line
#
# Or, perl regular expression matching (regex):
#
# pexe:/full/path/to/file as a perl regex[*]
# puser:username as a perl regex[*]
# pcmd:command line as a perl regex[*]
#
# [*]You must remember to escape characters correctly when using regex's, e.g.:
# pexe:/home/.*/public_html/cgi-bin/script\.cgi
# puser:bob\d.*
# pcmd:/home/.*/command\s\to\smatch\s\.pl\s.*
#
# It is strongly recommended that you use command line ignores very carefully
# as any process can change what is reported to the OS.
#
# For more information see readme.txt

exe:/usr/lib/courier-imap/bin/pop3d
exe:/usr/lib/courier-imap/bin/imapd
exe:/usr/sbin/pure-ftpd
exe:/usr/local/apache/bin/httpd
exe:/usr/sbin/sshd
exe:/usr/sbin/proftpd
exe:/usr/libexec/dovecot/imap
exe:/usr/libexec/dovecot/pop3
exe:/usr/sbin/named
exe:/usr/sbin/ntpd
exe:/bin/dbus-daemon
exe:/usr/sbin/ntpd
exe:/usr/sbin/exim4
exe:/sbin/ntpd
exe:/usr/libexec/dovecot/pop3
exe:/usr/libexec/dovecot/imap
exe:/usr/local/libexec/dovecot/pop3
exe:/usr/local/libexec/dovecot/pop3-login
exe:/usr/local/libexec/dovecot/imap
exe:/usr/local/libexec/dovecot/imap-login

exe:/usr/sbin/rpcbind
exe:/usr/sbin/rpc.statd
exe:/usr/sbin/chronyd
exe:/usr/bin/lsmd
exe:/usr/bin/dbus-daemon

cmd:/usr/bin/vmstat -n -S K 30
cmd:/bin/bash /opt/zimbra/bin/zmconfigdctl start norewrite
cmd:/bin/bash /opt/zimbra/bin/zmopendkimctl status norewrite
cmd:/usr/bin/perl /opt/zimbra/libexec/zmlogger
cmd:zmlogger: zmrrdfetch: server
cmd:/opt/zimbra/java/bin/java -version
cmd:/usr/bin/perl /opt/zimbra/libexec/zmlogprocess
cmd:/usr/bin/perl /opt/zimbra/bin/zmcontrol status
cmd:/usr/bin/perl /opt/zimbra/libexec/zmstatuslog
cmd:/usr/bin/perl -T /opt/zimbra/amavisd/sbin/amavisd -X no_conf_file_writable_check -c /opt/zimbra conf/amavisd.conf
cmd:/usr/bin/python -S /usr/lib/mailman/cron/gate_news

pcmd:sh -c /opt/zimbra/bin/zmantivirusctl.*
pcmd:/bin/bash /opt/zimbra/bin/zmantivirusctl.*
pcmd:/usr/bin/perl -T -w /opt/zimbra/libexec/sa-learn.*
pcmd:/bin/bash /opt/zimbra/bin/zmjava.*
pcmd:/usr/bin/perl /opt/zimbra/libexec/zmdailyreport.*
pcmd:/bin/bash -c /opt/zimbra/libexec/zmlogprocess.*
pcmd:/usr/bin/iostat -d -k.*
pcmd:/usr/bin/perl -w /opt/zimbra/libexec/zmstat-.*
pcmd:/opt/zimbra/libexec/logswatch --config-file=/opt/zimbra.*
pcmd:/bin/sh /opt/zimbra/mariadb/bin/mysqld_safe --defaults-file=/opt.*
pcmd:/opt/zimbra/java/bin/java -client -Xmx256m -Djava.net.preferIPv4Stack=true.*
pcmd:/opt/zimbra/java/bin/java -client -Xmx256m -Dzimbra.home=/opt/zimbra.*
pcmd:/opt/zimbra/java/bin/java -Dfile.encoding=UTF-8 -server -Djava.awt.headless=true.*
pcmd:/opt/zimbra/java/bin/java -client -cp /opt/zimbra/lib/jars.*
pcmd:/opt/zimbra/amavisd/sbin/amavisd.*
pcmd:/usr/bin/perl -T /opt/zimbra/amavisd/sbin/amavis-.*
pcmd:/usr/bin/perl /opt/zimbra/libexec/swatch --config-file=/opt/zimbra/conf/swatchrc.*
pcmd:/usr/bin/perl /opt/zimbra/data/tmp/.swatch_script.*
pcmd:/bin/bash /opt/zimbra/bin/zmconfigdctl .*
pcmd:/bin/bash -c /opt/zimbra/libexec/zmstatuslog .*

pexe:/opt/zimbra/postfix-.*/libexec/anvil
pexe:/opt/zimbra/mariadb-.*/bin/mysqld
pexe:/opt/zimbra/postfix-.*/libexec/lmtp
pexe:/opt/zimbra/postfix-.*/libexec/smtpd
pexe:/opt/zimbra/postfix-.*/libexec/proxymap
pexe:/opt/zimbra/postfix-.*/libexec/qmgr
pexe:/opt/zimbra/postfix-.*/libexec/tlsmgr
pexe:/opt/zimbra/httpd-.*/bin/rotatelogs
pexe:/opt/zimbra/httpd-.*/bin/httpd
pexe:/opt/zimbra/cyrus-sasl-.*/sbin/saslauthd
pexe:/opt/zimbra/postfix-.*/libexec/pickup
pexe:/opt/zimbra/postfix-.*/libexec/showq
pexe:/opt/zimbra/unbound-.*/sbin/unbound
pexe:/opt/zimbra/memcached-.*/bin/memcached
pexe:/opt/zimbra/clamav-.*/sbin/clamd
pexe:/opt/zimbra/clamav-.*/bin/freshclam
pexe:/opt/zimbra/openldap-.*/sbin/slapd
pexe:/opt/zimbra/nginx-.*/sbin/nginx
pexe:/opt/zimbra/opendkim-.*/sbin/opendkim
pexe:/opt/zimbra/postfix-.*/libexec/bounce
pexe:/opt/zimbra/postfix-.*/libexec/trivial-rewrite
pexe:/opt/zimbra/postfix-.*/libexec/cleanup
pexe:/opt/zimbra/postfix-.*/libexec/smtp

Suspicious File Tracking

Edit the /etc/csf/csf.fignore file to ignore valid files and directories:

vim /etc/csf/csf.fignore
/tmp/\.horde
/tmp/\.horde/.*
/tmp/\.spamassassin.*tmp
/tmp/\.webmin/.*_backup.pl

Alerts

https://www.namecheap.com/support/knowledgebase/article.aspx/10093/30/csflfd-security-notifications

https://www.knownhost.com/wiki/security/csf-lfd/notifications

  • LF_EMAIL_ALERT - sends an email alert if an IP address is blocked by one of the triggers.
  • LF_PERMBLOCK_ALERT - sends an email alert if an IP address is permanently blocked. This happens if the IP address has been temporarily blocked more than a few times (to configure, use LF_PERMBLOCK_COUNT).
  • LF_NETBLOCK_ALERT - sends an email alert if an IP network class was blocked (conditions of such blocks can be configured by editing the adjacent parameters).
  • LF_DISTFTP_ALERT - sends an email alert if LF_DISTFTP is triggered. The LF_DISTFTP option will keep track of all successful FTP logins. It blocks all the IPs that are suspected in being involved into an FTP distributed attack. You can configure it by editing the parameters in the Distributed Attacks section.
  • LF_DISTSMTP_ALERT - sends an email alert if LF_DISTSMTP is triggered. The same scenario applies as above, but for SMTP.
  • LT_EMAIL_ALERT - sends an email alert if the account exceeds a certain number of hourly logins per IP address.
  • CT_EMAIL_ALERT - sends an email alert if an IP address is blocked due to connectivity tracking.
networking/firewall/csf.txt · Last modified: 2021/06/09 10:26 by gcooper