Securing CPanel

Berikut langkah – langkah yang dapat di gunakan untuk Mengamankan Server Cpanel dari RFI SQLI, Blind SQLI, Brute Froce, SYnc FLood, ICMP Flood, DDOS, XMAS Scanning, dll
1. Mod_security Digunakan untuk mencegah query dari sql injection dan blind sql injection pada applikasi web

aktifkan mod_security dengan default config yang telah di sediakan Main > Plugin > mod_security klik edit dan klik default configuration untuk generate default configuration dan klik Save
2. Apache Mod_userdir Protection mod_userdir apache yang memungkinkan pengguna untuk melihat situs mereka dengan memasukkan tilde (~) dan username mereka sebagai uri pada host tertentu. Misalnya http://test.cpanel.net/ ~ fred / akan memunculkan pengguna fred’s domain. Kerugian dari fitur ini adalah bahwa setiap penggunaan bandwidth yang digunakan oleh situs ini akan dimasukkan pada domain ini diakses bawah (dalam hal ini test.cpanel.net). perlindungan mod_userdir mencegah hal ini terjadi. Namun Anda mungkin ingin menonaktifkan pilihan ini virtual host tertentu (biasanya bersama host ssl.)

Main >> Security Center >> Apache mod_userdir Tweak Ceklist Enable mod_userdir Protection dan Save
3. cPHulk Brute Force Protection Untuk mencegah Brute Force aktifkan featur ini

Main >> Security Center >> cPHulk Brute Force Protection set to Enable
4. Host Access Control Pemberian batasan akses kepada service tertentu ke dalam file /etc/hosts atau TCP_wrapper

Main >> Security Center >> Host Access Control Sample Daemon Access List Action Comment sshd 192.168.0.0/255.255.255.0 allow Allow local SSH access sshd 198.66.254.254 allow Allow SSH from my specific IP sshd ALL deny Deny access from all other IPs
5. PHP open_basedir Tweak PHP’s open_basedir protection prevents users from opening files outside of their home directory with php.

klik Enable php open_basedir Protection dan save
6. Disable Function pada php.ini Beberapa attacker sering menggunakan php shell yang banyak di gunakan di internet yang function dari phpnya terlalu standart sehingga kita bisa mendisablenya

hati2 dalam mendisable_function, bisa2 website anda yang menggunakan fungsi tersebut tidak akan berjalan

berikut configurasi php.ini pada server saya

<pre>disable_functions = join_indobacktrack_or_id,maintenance_by_yusuf_indobacktrack_team,exec,passthru,escapeshellarg,escapeshellcmd,proc_close,proc_open,ini_alter,popen,show_source,proc_nice,proc_terminate,proc_get_status,proc_close,pfsockopen,leak,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,dl,symlink,shell_exec,system,dl,passthru,escapeshellarg,escapeshellcmd,myshellexec,c99_buff_prepare,c99_sess_put,fpassthru,getdisfunc,fx29exec,fx29exec2,is_windows,disp_freespace,fx29sh_getupdate,fx29_buff_prepare,fx29_sess_put,fx29shexit,fx29fsearch,fx29ftpbrutecheck,fx29sh_tools,fx29sh_about,milw0rm,imagez,sh_name,myshellexec,checkproxyhost,dosyayicek,c99_buff_prepare,c99_sess_put,c99getsource,c99sh_getupdate,c99fsearch,c99shexit,view_perms,posix_getpwuid,posix_getgrgid,posix_kill,parse_perms,parsesort,view_perms_color,set_encoder_input,ls_setcheckboxall,ls_reverse_all,rsg_read,rsg_glob,selfURL,dispsecinfo,unix2DosTime,addFile,system,get_users,view_size,DirFiles,DirFilesWide,DirPrintHTMLHeaders,GetFilesTotal,GetTitles,GetTimeTotal,GetMatchesCount,GetFileMatchesCount,GetResultFiles,fs_copy_dir,fs_copy_obj,fs_move_dir,fs_move_obj,fs_rmdir,SearchText,getmicrotime

display_errors = Off
html_errors = Off
display_startup_errors = Off
log_errors = On
allow_url_fopen = Off

7. Editing SSH – Gunakan SSH key untuk login ke ssh server dan disable password authentication – Edit sshd_config /etc/ssh/sshd_config Tambahakan AllowUsers yusuf admin1 admin2 PermitRootLogin no protocol 2 port 3333 dll

8. Install Config Security Firewall dan Login Failure Detection, pastikan semua ceklist di bawah ini OK

<pre>###############################################################################
# Copyright 2006-2010, Way to the Web Limited
# URL: http://www.configserver.com
# Email: sales@waytotheweb.com
###############################################################################

# Testing flag – enables a CRON job that clears iptables incase of
# configuration problems when you start csf. This should be enabled until you
# are sure that the firewall works – i.e. incase you get locked out of your
# server! Then do remember to set it to 0 and restart csf when you’re sure
# everything is OK. Stopping csf will remove the line from /etc/crontab
TESTING = “0”

# The interval for the crontab in minutes. Since this uses the system clock the
# CRON job will run at the interval past the hour and not from when you issue
# the start command. Therefore an interval of 5 minutes means the firewall
# will be cleared in 0-5 minutes from the firewall start
TESTING_INTERVAL = “5”

# Enabling auto updates creates a cron job called /etc/cron.d/csf_update which
# runs once per day to see if there is an update to csf+lfd and upgrades if
# available and restarts csf and lfd. Updates do not overwrite configuration
# files or email templates. An email will be sent to the root account if an
# update is performed
AUTO_UPDATES = “0”

# By default, csf will auto-configure iptables to filter all traffic except on
# the loopback device. If you only want iptables rules applied to a specific
# NIC, then list it here (e.g. eth1, or eth+)
ETH_DEVICE = “eth0”

# If you don’t want iptables rules applied to specific NICs, then list them in
# a comma separated list (e.g “eth1,eth2”)
ETH_DEVICE_SKIP = “”

# Lists of ports in the following comma separated lists can be added using a
# colon (e.g. 30000:35000).

# Allow incoming TCP ports
TCP_IN = “20,21,10022,25,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096”

# Allow outgoing TCP ports
TCP_OUT = “20,21,10022,25,37,43,53,80,110,113,443,587,873,2087,2089,2703”

# Allow incoming UDP ports
UDP_IN = “20,21,53”

# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = “20,21,53,113,123,873,6277”

# Allow incoming PING
ICMP_IN = “1”

# Set the per IP address incoming ICMP packet rate
# To disable rate limiting set to “0”
ICMP_IN_RATE = “1/s”

# Allow outgoing PING
ICMP_OUT = “1”

# Set the per IP address outgoing ICMP packet rate (hits per second allowed),
# e.g. “1/s”
#
# Recommend disabling on cPanel servers as cPanel uses ping test to determine
# fastest mirrors for various functions
#
# To disable rate limiting set to “0”
ICMP_OUT_RATE = “0”

# Block outgoing SMTP except for root, exim and mailman (forces scripts/users
# to use the exim/sendmail binary instead of sockets access). This replaces the
# protection as WHM > Tweak Settings > SMTP Tweaks
#
# This option uses the iptables ipt_owner module and must be loaded for it to
# work. It may not be available on some VPS platforms
#
# Note: Run /etc/csf/csftest.pl to check whether this option will function on
# this server
SMTP_BLOCK = “0”

# If SMTP_BLOCK is enabled but you want to allow local connections to port 25
# on the server (e.g. for webmail or web scripts) then enable this option to
# allow outgoing SMTP connections to the loopback device
SMTP_ALLOWLOCAL = “1”

# This is a comma separated list of the ports to block. You should list all
# ports that exim is configured to listen on
SMTP_PORTS = “25”

# Always allow the following comma separated users and groups to bypass
# SMTP_BLOCK
#
# Note: root (UID:0) is always allowed
SMTP_ALLOWUSER = “cpanel”
SMTP_ALLOWGROUP = “mail,mailman”

# Drop target for iptables rules. This can be set to either DROP ot REJECT.
# REJECT will send back an error packet, DROP will not respond at all. REJECT
# is more polite, however it does provide extra information to a hacker and
# lets them know that a firewall is blocking their attempts. DROP hangs their
# connection, thereby frustrating attempts to port scan the server.
DROP = “DROP”

# Enable logging of dropped connections to blocked ports to syslog, usually
# /var/log/messages. This option needs to be enabled to use Port Scan Tracking
DROP_LOGGING = “1”

# Enable logging of dropped connections to blocked IP addresses in csf.deny or
# by lfd with temporary connection tracking blocks
#
# This option will be disabled if you enable Port Scan Tracking (PS_INTERVAL)
DROP_IP_LOGGING = “1”

# Only log reserved port dropped connections (0:1023). Useful since you’re not
# usually bothered about ephemeral port drops
DROP_ONLYRES = “0”

# Commonly blocked ports that you do not want logging as they tend to just fill
# up the log file. These ports are specifically blocked (applied to TCP and UDP
# protocols) for incoming connections
DROP_NOLOG = “67,68,111,113,135:139,445,513,520”

# Enable packet filtering for unwanted or illegal packets
PACKET_FILTER = “1”

# Log packets dropped by the packet filtering option PACKET_FILTER. This will
# show packet drops that iptables has deemed INVALID (i.e. there is no
# established TCP connection in the state table), or if the TCP flags in the
# packet are out of sequence or illegal in the protocol exchange.
#
# If you see packets being dropped that you would rather allow then disable the
# PACKET_FILTER option above by setting it to “0”
DROP_PF_LOGGING = “1”

# Configure csf to watch IP addresses (with csf -w [ip]). This option will add
# overhead to packet traversal through iptables and syslog logging, so should
# only be enabled while actively watching IP addresses. See readme.txt for more
# information on the use of this option
WATCH_MODE = “0”

# Enable SYN Flood Protection. This option configures iptables to offer some
# protection from tcp SYN packet DOS attempts. You should set the RATE so that
# false-positives are kept to a minimum otherwise visitors may see connection
# issues (check /var/log/messages for *SYNFLOOD Blocked*). See the iptables
# man page for the correct –limit rate syntax
SYNFLOOD = “1”
SYNFLOOD_RATE = “100/s”
SYNFLOOD_BURST = “150”

# Port Flood Protection. This option configures iptables to offer protection
# from DOS attacks against specific ports. This option limits the number of
# connections per time interval that new connections can be made to specific
# ports
#
# This feature does not work on servers that do not have the iptables module
# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS
# server admins should check with their VPS host provider that the iptables
# module is included
#
# For further information and syntax refer to the Port Flood section of the csf
# readme.txt
#
# Note: Run /etc/csf/csftest.pl to check whether this option will function on
# this server
PORTFLOOD = “0”

# Enable verbose output of iptables commands
VERBOSE = “1”

# Log lfd messages to SYSLOG in addition to /var/log/lfd.log. You must have the
# perl module Sys::Syslog installed to use this feature
SYSLOG = “1”

# Enable this option if you wish to allow access from all IP’s that have
# authenticated using POP before SMTP (i.e. are valid clients). This option
# checks for IP addresses in /etc/relayhosts, which last for 30 minutes in that
# file after a successful POP authentication.
#
# Set the value to 0 to disable the feature
RELAYHOSTS = “1”

# Enable this option if you want lfd to ignore (i.e. don’t block) IP addresses
# listed in csf.allow in addition to csf.ignore (the default). This option
# should be used with caution as it would mean that IP’s allowed through the
# firewall from infected PC’s could launch attacks on the server that lfd
# would ignore
IGNORE_ALLOW = “1”

# Enable the following option if you want to apply strict iptables rules to DNS
# traffic (i.e. relying on iptables connection tracking). Enabling this option
# could cause DNS resolution issues both to and from the server but could help
# prevent abuse of the local DNS server
DNS_STRICT = “0”

# Limit the number of IP’s kept in the /etc/csf/csf.deny file. This can be
# important as a large number of IP addresses create a large number of iptables
# rules (4 times the number of IP’s) which can cause problems on some systems
# where either the the number of iptables entries has been limited (esp VPS’s)
# or where resources are limited. This can result in slow network performance,
# or, in the case of iptables entry limits, can prevent your server from
# booting as not all the required iptables chain settings will be correctly
# configured. The value set here is the maximum number of IPs/CIDRs allowed
# if the limit is reached, the entries will be rotated so that the oldest
# entries (i.e. the ones at the top) will be removed and the latest is added.
# The limit is only checked when using csf -d (which is what lfd also uses)
# Set to 0 to disable limiting
DENY_IP_LIMIT = “300”

# Limit the number of IP’s kept in the temprary IP ban list. If the limit is
# reached the oldest IP’s in the ban list will be removed and allowed
# regardless of the amount of time remaining for the block
# Set to 0 to disable limiting
DENY_TEMP_IP_LIMIT = “300”

# Enable login failure detection daemon (lfd). If set to 0 none of the
# following settings will have any effect as the daemon won’t start.
LF_DAEMON = “1”

# By default, lfd will send alert emails using the relevant alert template to
# the To: address configured within that template. Setting the following
# option will override the configured To: field in all lfd alert emails
#
# Leave this option empty to use the To: field setting in each alert template
LF_ALERT_TO = “”

# By default, lfd will send alert emails using the relevant alert template from
# the From: address configured within that template. Setting the following
# option will override the configured From: field in all lfd alert emails
#
# Leave this option empty to use the From: field setting in each alert template
LF_ALERT_FROM = “”

# In addition to the standard lfd email alerts, you can additionally enable the
# sending of X-ARF reports (see http://www.x-arf.org/specification.html). Only
# block alert messages will be sent.
#
# These reports are in a format accepted by many Netblock owners and should
# help them investigate abuse. This option is not designed to automatically
# forward these reports to the Netblock owners and should be checked for
# false-positive blocks before reporting
#
# Note: The following block types are not reported through this feature:
#       LF_PERMBLOCK, LF_NETBLOCK, LF_DISTATTACK, LF_DISTFTP, RT_*_ALERT
X_ARF = “1”

# By default, lfd will send emails from the root forwarder. Setting the
# following option will override this
X_ARF_FROM = “”

# By default, lfd will send emails to the root forwarder. Setting the following
# option will override this
X_ARF_TO = “”

# Block Reporting. lfd can run an external script when it performs and IP
# address block following for example a login failure. The following setting
# is to the full path of the external script which must be executable. See
# readme.txt for format details
#
# Leave this setting blank to disable
BLOCK_REPORT = “”

# Send an alert if log file flooding is detected which causes lfd to skip log
# lines to prevent lfd from looping. If this alert is sent you should check the
# reported log file for the reason for the flooding
LOGFLOOD_ALERT = “1”

# Temporary to Permanent IP blocking. The following enables this feature to
# permanently block IP addresses that have been temporarily blocked more than
# LF_PERMBLOCK_COUNT times in the last LF_PERMBLOCK_INTERVAL seconds. Set
# LF_PERMBLOCK  to “1” to enable this feature
#
# Care needs to be taken when setting LF_PERMBLOCK_INTERVAL as it needs to be
# at least LF_PERMBLOCK_COUNT multiplied by the longest temporary time setting
# (TTL) for blocked IPs, to be effective
#
# Set LF_PERMBLOCK to “0” to disable this feature
LF_PERMBLOCK = “1”
LF_PERMBLOCK_INTERVAL = “172800”
LF_PERMBLOCK_COUNT = “1”
LF_PERMBLOCK_ALERT = “1”

# Permanently block IPs by network class. The following enables this feature
# to permanently block classes of IP address where individual IP addresses
# within the same class LF_NETBLOCK_CLASS have already been blocked more than
# LF_NETBLOCK_COUNT times in the last LF_NETBLOCK_INTERVAL seconds. Set
# LF_NETBLOCK  to “1” to enable this feature
#
# This can be an affective way of blocking DDOS attacks launched from within
# the same networ class
#
# Valid settings for LF_NETBLOCK_CLASS are “A”, “B” and “C”, care and
# consideration is required when blocking network classes A or B
#
# Set LF_NETBLOCK to “0” to disable this feature
LF_NETBLOCK = “0”
LF_NETBLOCK_INTERVAL = “86400”
LF_NETBLOCK_COUNT = “4”
LF_NETBLOCK_CLASS = “C”
LF_NETBLOCK_ALERT = “1”

# Safe Chain Update. If enabled, all dynamic update chains (GALLOW*, GDENY*,
# SPAMHAUS, DSHIELD, BOGON, CC_ALLOW, CC_DENY, ALLOWDYN*) will create a new
# chain when updating, and insert it into the relevant LOCALINPUT/LOCALOUTPUT
# chain, then flush and delete the old dynamic chain and rename the new chain.
#
# This prevents a small window of opportunity opening when an update occurs and
# the dynamic chain is flushed for the new rules.
#
# This option should not be enabled on servers with long dynamic chains (e.g.
# CC_DENY/CC_ALLOW lists) and low memory. It should also not be enabled on
# Virtuozzo VPS servers with a restricted numiptent value. This is because each
# chain will effectively be duplicated while the update occurs, doubling the
# number of iptables rules
SAFECHAINUPDATE = “0”

# If you wish to allow access from dynamic DNS records (for example if your IP
# address changes whenever you connect to the internet but you have a dedicated
# dynamic DNS record from the likes of dyndns.org) then you can list the FQDN
# records in csf.dyndns and then set the following to the number of seconds to
# poll for a change in the IP address. If the IP address has changed iptables
# will be updated.
#
# A setting of 600 would check for IP updates every 10 minutes. Set the value
# to 0 to disable the feature
DYNDNS = “0”

# To always ignore DYNDNS IP addresses in lfd blocking, set the following
# option to 1
DYNDNS_IGNORE = “0”

# The follow Global options allow you to specify a URL where csf can grab a
# centralised copy of an IP allow or deny block list of your own. You need to
# specify the full URL in the following options, i.e.:
# http://www.somelocation.com/allow.txt
#
# The actual retrieval of these IP’s is controlled by lfd, so you need to set
# LF_GLOBAL to the interval (in seconds) when you want lfd to retrieve. lfd
# will perform the retrieval when it runs and then again at the specified
# interval. A sensible interval would probably be every 3600 seconds (1 hour)
#
# You do not have to specify both an allow and a deny file
#
# You can also configure a global ignore file for IP’s that lfd should ignore
LF_GLOBAL = “”

GLOBAL_ALLOW = “”
GLOBAL_DENY = “”
GLOBAL_IGNORE = “”

# Provides the same functionality as DYNDNS but with a GLOBAL URL file. Set
# this to the URL of the file containing DYNDNS entries
GLOBAL_DYNDNS = “”

# Set the following to the number of seconds to poll for a change in the IP
# address resoved from GLOBAL_DYNDNS
GLOBAL_DYNDNS_INTERVAL = “600”

# To always ignore GLOBAL_DYNDNS IP addresses in lfd blocking, set the following
# option to 1
GLOBAL_DYNDNS_IGNORE = “0”

# Country Code to CIDR allow/deny. In the following two options you can allow
# or deny whole country CIDR ranges. The CIDR blocks are generated from the
# Maxmind GeoLite Country database http://www.maxmind.com/app/geolitecountry
# and entirely relies on that service being available
#
# Specify the the two-letter ISO Country Code(s). The iptables rules are for
# incoming connections only
#
# Warning: These lists are never 100% accurate and some ISP’s (e.g. AOL) use
# non-geographic IP address designations for their clients
#
# Warning: Some of the CIDR lists are huge and each one requires a rule within
# the incoming iptables chain. This can result in significant performance
# overheads and could render the server inaccessible in some circumstances. For
# this reason (amongst others) we do not recommend using these options
#
# Warning: Due to the resource constraints on VPS servers this feature should
# not be used on such systems unless you choose very small CC zones
#
# Warning: CC_ALLOW allows access through all ports in the firewall. For this
# reason CC_ALLOW probably has very limited use
#
# If you use this feature you should consider a donation to:
# http://iplocationtools.com/donate.php
#
# Each option is a comma separated list of CC’s, e.g. “US,GB,DE”
CC_DENY = “”
CC_ALLOW = “”

# An alternative to CC_ALLOW is to only allow access from the following
# countries but still filter based on the port and packets rules. All other
# connections are dropped
CC_ALLOW_FILTER = “”

# This option tells lfd how often to retrieve the Maxmind GeoLite Country
# database for CC_ALLOW, CC_ALLOW_FILTER and CC_DENY (in days)
CC_INTERVAL = “7”

# Enable IP range blocking using the DShield Block List at
# http://feeds.dshield.org/block.txt
# To enable this feature, set the following to the interval in seconds that you
# want the block list updated. The list is reasonably static during the length
# of a day, so it would be appropriate to only update once every 24 hours, so
# a value of “86400” is recommended
LF_DSHIELD = “86400”

# The DShield block list URL. If you change this to something else be sure it
# is in the same format as the block list
LF_DSHIELD_URL = “http://feeds.dshield.org/block.txt&#8221;

# Enable IP range blocking using the Spamhaus DROP List at
# http://www.spamhaus.org/drop/index.lasso
# To enable this feature, set the following to the interval in seconds that you
# want the block list updated. The list is reasonably static during the length
# of a day, so it would be appropriate to only update once every 24 hours, so
# a value of “86400” is recommended
LF_SPAMHAUS = “86400”

# The Spamhaus DROP List URL. If you change this to something else be sure it
# is in the same format as the drop list
LF_SPAMHAUS_URL = “http://www.spamhaus.org/drop/drop.lasso&#8221;

# Enable IP range blocking using the BOGON List at
# http://www.cymru.com/Bogons/
# To enable this feature, set the following to the interval in seconds that you
# want the block list updated. The list is reasonably static during the length
# of a day, so it would be appropriate to only update once every 24 hours, so
# a value of “86400” is recommended
#
# Do NOT use this option if your server uses IP’s on the bogon list (e.g. this
# is often the case with servers behind a NAT firewall using ip routing)
LF_BOGON = “86400”

# The BOGON List URL. If you change this to something else be sure it
# is in the same format as the drop list
LF_BOGON_URL = “http://www.cymru.com/Documents/bogon-bn-agg.txt&#8221;

# The following[*] triggers are application specific. If you set LF_TRIGGER to
# “0” the value of each trigger is the number of failures against that
# application that will trigger lfd to block the IP address
#
# If you set LF_TRIGGER to a value greater than “0” then the following[*]
# application triggers are simply on or off (“0” or “1”) and the value of
# LF_TRIGGER is the total cumulative number of failures that will trigger lfd
# to block the IP address
#
# Setting the application trigger to “0” disables it
LF_TRIGGER = “0”

# If LF_TRIGGER is > 1 then the following can be set to “1” to permanently
# block the IP address, or if set to a value greater than “1” then the IP
# address will be blocked temporarily for the value in seconds. For example:
# LF_TRIGGER_PERM = “1” => the IP is blocked permanently
# LF_TRIGGER_PERM = “3600” => the IP is blocked temporarily for 1 hour
#
# If LF_TRIGGER is 0, then the application LF_[application]_PERM value works in
# the same way as above
LF_TRIGGER_PERM = “1”

# To only block access to the failed application instead of a complete block
# for an ip address, you can set the following to “1”, but LF_TRIGGER must be
# set to “0” with specific application[*] trigger levels also set
LF_SELECT = “0”

# Send an email alert if an IP address is blocked by one of the [*] triggers
LF_EMAIL_ALERT = “1”

# [*]Enable login failure detection of sshd connections
LF_SSHD = “10”
LF_SSHD_PERM = “1”

# [*]Enable login failure detection of pure-ftpd connections
LF_FTPD = “20”
LF_FTPD_PERM = “1”

# [*]Enable login failure detection of SMTP AUTH connections
LF_SMTPAUTH = “20”
LF_SMTPAUTH_PERM = “1”

# [*]Enable login failure detection of courier pop3 connections. This will not
# trap the older cppop daemon
LF_POP3D = “20”
LF_POP3D_PERM = “1”

# [*]Enable login failure detection of courier imap connections. This will not
# trap the older cpimap (uwimap) daemon
LF_IMAPD = “20”
LF_IMAPD_PERM = “1”

# [*]Enable login failure detection of Apache .htpasswd connections
# Due to the often high logging rate in the Apache error log, you might want to
# enable this option only if you know you are suffering from attacks against
# password protected directories
LF_HTACCESS = “10”
LF_HTACCESS_PERM = “1”

# [*]Enable login failure detection of cpanel, webmail and whm connections
LF_CPANEL = “5”
LF_CPANEL_PERM = “1”

# [*]Enable failure detection of repeated Apache mod_security rule triggers
# Due to the often high logging rate in the Apache error log, you might want to
# enable this option only if you know you are suffering from attacks against
# web scripts
LF_MODSEC = “20”
LF_MODSEC_PERM = “1”

# [*]Enable detection of repeated BIND denied requests
# This option should be enabled with care as it will prevent blocked IPs from
# resolving any domains on the server. You might want to set the trigger value
# reasonably high to avoid this
# Example: LF_BIND = “100”
LF_BIND = “100”
LF_BIND_PERM = “1”

# [*]Enable detection of repeated suhosin ALERTs
# Example: LF_SUHOSIN = “5”
LF_SUHOSIN = “0”
LF_SUHOSIN_PERM = “1”

# Distributed Account Attack. This option will keep track of login failures
# from distributed IP addresses to a specific application account. If the
# number of failures matches the trigger value above, ALL of the IP addresses
# involved in the attack will be blocked according to the temp/perm rules above
#
# Tracking applies to LF_SSHD, LF_FTPD, LF_SMTPAUTH, LF_POP3D, LF_IMAPD,
# LF_HTACCESS
LF_DISTATTACK = “0”

# Set the following to the minimum number of unique IP addresses that trigger
# LF_DISTATTACK
LF_DISTATTACK_UNIQ = “2”

# Distributed FTP Logins. This option will keep track of successful FTP logins.
# If the number of successful logins to an individual account is at least
# LF_DISTFTP in LF_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses, then
# all of the IP addresses will be blocked
#
# This option can help mitigate the common FTP account compromise attacks that
# use a distributed network of zombies to deface websites
#
# A sensible setting for this might be 5, depending on how many IP different
# IP addresses you expect to an individual FTP account within LF_INTERVAL
#
# To disable set to “0”
LF_DISTFTP = “1”

# Set the following to the minimum number of unique IP addresses that trigger
# LF_DISTATTACK. LF_DISTFTP_UNIQ must be <= LF_DISTFTP for this to work
LF_DISTFTP_UNIQ = “3”

# If this option is set to 1 the blocks will be permanent
# If this option is > 1, the blocks will be temporary for the specified number
# of seconds
LF_DISTFTP_PERM = “1”

# Check whether csf appears to have been stopped and restart if necessary,
# unless TESTING is enabled above. The check is done every 300 seconds
LF_CSF = “1”

# If you enable this option then whenever a CLI request to restart csf is used
# (i.e. -s, –start, -r, –restart, -q, –startq) then instead of csf
# rebuilding the iptables rules, csf will indicate to lfd to rebuild them
# instead, within LF_PARSE seconds
#
# This feature can be particularly helpful for (re)starting configurations with
# a large number of rules, e.g. those using CC block/allow lists. It can also
# speed up boot times by deferring csf startup to the lfd process rather than
# the init process
LF_QUICKSTART = “1”

# Send an email alert if anyone logs in successfully using SSH
LF_SSH_EMAIL_ALERT = “1”

# Send an email alert if anyone uses su to access another account. This will
# send an email alert whether the attempt to use su was successful or not
LF_SU_EMAIL_ALERT = “1”

# Send an email alert if anyone accesses WHM via root. An IP address will be
# reported again 1 hour after the last tracked access (or if lfd is restarted)
LF_CPANEL_ALERT = “1”

# Enable scanning of the exim mainlog for repeated emails sent from scripts.
# To use this feature you must add an extended email logging line to WHM >
# Exim Configuration Editor > Switch to Advanced Mode > in the first textbox
# add the following line (without the preceding #):
#
# log_selector = +arguments +subject +received_recipients
#
# If you already use extended exim logging, then you need to either include
# +arguments +received_recipients or use +all
#
# This setting will then send an alert email if more than LF_SCRIPT_LIMIT lines
# appear with the same cwd= path in them within an hour. This can be useful in
# identifying spamming scripts on a server, especially PHP scripts running
# under the nobody account. The email that is sent includes the exim log lines
# and also attempts to find scripts that send email in the path that may be the
# culprit
LF_SCRIPT_ALERT = “1”

# The limit afterwhich the email alert for email scripts is sent. Care should
# be taken with this value if you allow clients to use web scripts to maintain
# pseudo-mailing lists which have large recipients
LF_SCRIPT_LIMIT = “300”

# If this option is enabled, the directory identified by LF_SCRIPT_ALERT will
# be chmod 0 and chattr +i to prevent it being accessed. Set the option to 1
# to enable.
#
# WARNING: This option could cause serious system problems if the identified
# directory is within the OS directory hierarchy. For this reason we do not
# recommend enabling it unless absolutely necessary.
LF_SCRIPT_PERM = “0”

# Checks the length of the exim queue and sends an alert email if the value of
# settings is exceeded. If the ConfigServer MailScanner configuration is used
# then both the pending and delivery queues will be checked.
#
# Note: If there are problems sending out email, this alert may not be received
# To disable set to “0”
LF_QUEUE_ALERT = “2000”

# The interval between mail queue checks in seconds. This should not be set too
# low on servers that often have long queues as the exim binary can use
# significant resources when checing its queue length
LF_QUEUE_INTERVAL = “300”

# Enable Directory Watching. This enables lfd to check /tmp and /dev/shm
# directories for suspicious files, i.e. script exploits. If a suspicious
# file is found an email alert is sent. One alert per file per LF_FLUSH
# interval is sent
#
# To enable this feature set the following to the checking interval in seconds.
# To disable set to “0”
LF_DIRWATCH = “120”

# To remove any suspicious files found during directory watching, enable the
# following. These files will be appended to a tarball in
# /etc/csf/suspicious.tar
LF_DIRWATCH_DISABLE = “0”

# This option allows you to have lfd watch a particular file or directory for
# changes and should they change and email alert using watchalert.txt is sent
#
# To enable this feature set the following to the checking interval in seconds
# (a value of 60 would seem sensible) and add your entries to csf.dirwatch
#
# Set to disable set to “0”
LF_DIRWATCH_FILE = “60 ”

# This is the interval that is used to flush reports of usernames, files and
# pids so that persistent problems continue to be reported, in seconds.
# A value of 3600 seems sensible
LF_FLUSH = “3600”

# System Integrity Checking. This enables lfd to compare md5sums of the
# servers OS binary application files from the time when lfd starts. If the
# md5sum of a monitored file changes an alert is sent. This option is intended
# as an IDS (Intrusion Detection System) and is the last line of detection for
# a possible root compromise.
#
# There will be constant false-positives as the servers OS is updated or
# monitored application binaries are updated. However, unexpected changes
# should be carefully inspected.
#
# Modified files will only be reported via email once.
#
# To enable this feature set the following to the checking interval in seconds
# (a value of 3600 would seem sensible). This option may increase server I/O
# load onto the server as it checks system binaries.
#
# To disable set to “0”
LF_INTEGRITY = “3600”

# System Exploit Checking. This enables lfd to check for the Random JS Toolkit
# and may check for others in the future:
# http://www.cpanel.net/security/notes/random_js_toolkit.html
# It compares md5sums of the binaries listed in the exploit above for changes
# and also attempts to create and remove a number directory
#
# Modified files will only be reported via email once, though will be reset
# after an hour
#
# To enable this feature set the following to the checking interval in seconds
# (a value of 300 would seem sensible).
#
# To disable set to “0”
LF_EXPLOIT = “300”

# This comma separated list allows you to (de)select which tests LF_EXPLOIT
# performs
#
# For the SUPERUSER check, you can list usernames in csf.suignore to have them
# ignored for that test
#
# Valid tests are:
# JS,SUPERUSER
LF_EXPLOIT_CHECK = “JS,SUPERUSER”

# Set the time interval to track login and other LF_ failures within (seconds),
# i.e. LF_TRIGGER failures within the last LF_INTERVAL seconds
LF_INTERVAL = “300”

# This is how long the lfd process sleeps (in seconds) before processing the
# log file entries and checking whether other events need to be triggered
LF_PARSE = “5”

# Send an email alert if an account exceeds LT_POP3D/LT_IMAPD logins per hour
# per IP
LT_EMAIL_ALERT = “1”

# Block POP3 logins if greater than LT_POP3D times per hour per account per IP
# address (0=disabled)
#
# This is a temporary block for the rest of the hour, afterwhich the IP is
# unblocked
LT_POP3D = “0”

# Block IMAP logins if greater than LT_IMAPD times per hour per account per IP
# address (0=disabled) – not recommended for IMAP logins due to the ethos
# within which IMAP works. If you want to use this, setting it quite high is
# probably a good idea
#
# This is a temporary block for the rest of the hour, afterwhich the IP is
# unblocked
LT_IMAPD = “0”

# Relay Tracking. This allows you to track email that is relayed through the
# server. There are also options to send alerts and block external IP addresses
# if the number of emails relayed per hour exceeds configured limits. The
# blocks can be either permanent or temporary.
#
# The following information applies to each of the following types of relay
# check:
# RT_[relay type]_ALERT: 0 = disable, 1 = enable
# RT_[relay type]_LIMIT: the limit/hour afterwhich an email alert will be sent
# RT_[relay type]_BLOCK: 0 = no block;1 = perm block;nn=temp block for nn secs

# This option triggers for external email
RT_RELAY_ALERT = “1”
RT_RELAY_LIMIT = “100”
RT_RELAY_BLOCK = “0”

# This option triggers for email authenticated by SMTP AUTH
RT_AUTHRELAY_ALERT = “1”
RT_AUTHRELAY_LIMIT = “100”
RT_AUTHRELAY_BLOCK = “0”

# This option triggers for email authenticated by POP before SMTP
RT_POPRELAY_ALERT = “1”
RT_POPRELAY_LIMIT = “100”
RT_POPRELAY_BLOCK = “0”

# This option triggers for email sent via /usr/sbin/sendmail or /usr/sbin/exim
RT_LOCALRELAY_ALERT = “1”
RT_LOCALRELAY_LIMIT = “100”

# This option triggers for email sent via a local IP addresses
RT_LOCALHOSTRELAY_ALERT = “1”
RT_LOCALHOSTRELAY_LIMIT = “100”

# Connection Tracking. This option enables tracking of all connections from IP
# addresses to the server. If the total number of connections is greater than
# this value then the offending IP address is blocked. This can be used to help
# prevent some types of DOS attack.
#
# Care should be taken with this option. It’s entirely possible that you will
# see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD
# and HTTP so it could be quite easy to trigger, especially with a lot of
# closed connections in TIME_WAIT. However, for a server that is prone to DOS
# attacks this may be very useful. A reasonable setting for this option might
# be arround 300.
#
# To disable this feature, set this to 0
CT_LIMIT = “300”

# Connection Tracking interval. Set this to the the number of seconds between
# connection tracking scans
CT_INTERVAL = “30”

# Send an email alert if an IP address is blocked due to connection tracking
CT_EMAIL_ALERT = “1”

# If you want to make IP blocks permanent then set this to 1, otherwise blocks
# will be temporary and will be cleared after CT_BLOCK_TIME seconds
CT_PERMANENT = “0”

# If you opt for temporary IP blocks for CT, then the following is the interval
# in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)
CT_BLOCK_TIME = “1800”

# If you don’t want to count the TIME_WAIT state against the connection count
# then set the following to “1”
CT_SKIP_TIME_WAIT = “0”

# If you only want to count specific states (e.g. SYN_RECV) then add the states
# to the following as a comma separated list. E.g. “SYN_RECV,TIME_WAIT”
#
# Leave this option empty to count all states against CT_LIMIT
CT_STATES = “”

# If you only want to count specific ports (e.g. 80,443) then add the ports
# to the following as a comma separated list. E.g. “80,443”
#
# Leave this option empty to count all ports against CT_LIMIT
CT_PORTS = “”

# Process Tracking. This option enables tracking of user and nobody processes
# and examines them for suspicious executables or open network ports. Its
# purpose is to identify potential exploit processes that are running on the
# server, even if they are obfuscated to appear as system services. If a
# suspicious process is found an alert email is sent with relevant information.
# It is then the responsibility of the recipient to investigate the process
# further as the script takes no further action
#
# The following is the number of seconds a process has to be active before it
# is inspected. If you set this time too low, then you will likely trigger
# false-positives with CGI or PHP scripts.
# Set the value to 0 to disable this feature
PT_LIMIT = “60”

# How frequently processes are checked in seconds
PT_INTERVAL = “60”

# If you want process tracking to highlight php or perl scripts that are run
# through apache then disable the following,
# i.e. set it to 0
#
# While enabling this setting will reduce false-positives, having it set to 0
# does provide better checking for exploits running on the server
PT_SKIP_HTTP = “0”

# If you want to track all linux accounts on a cPanel server, not just users
# that are part of cPanel, then enable this option. This is recommended to
# improve security from compromised accounts
#
# Set to 0 to disable the feature, 1 to enable it
PT_ALL_USERS = “1”

# lfd will report processes, even if they’re listed in csf.pignore, if they’re
# tagged as (deleted) by Linux. This information is provided in Linux under
# /proc/PID/exe. A (deleted) process is one that is running a binary that has
# the inode for the file removed from the file system directory. This usually
# happens when the binary has been replaced due to an upgrade for it by the OS
# vendor or another third party (e.g. cPanel). You need to investigate whether
# this is indeed the case to be sure that the original binary has not been
# replaced by a rootkit or is running an exploit.
#
# To stop lfd reporting such process you need to restart the daemon to which it
# belongs and therefore run the process using the replacement binary (presuming
# one exists). This will normally mean running the associated startup script in
# /etc/init.d/
#
# If you don’t want lfd to report deleted binary processes, set to 0
PT_DELETED = “1”

# User Process Tracking. This option enables the tracking of the number of
# process any given account is running at one time. If the number of processes
# exceeds the value of the following setting an email alert is sent with
# details of those processes. If you specify a user in csf.pignore it will be
# ignored
#
# Set to 0 to disable this feature
PT_USERPROC = “10”

# This User Process Tracking option sends an alert if any cPanel user process
# exceeds the memory usage set (MB). To ignore specific processes or users use
# csf.pignore
#
# Set to 0 to disable this feature
PT_USERMEM = “200”

# This User Process Tracking option sends an alert if any cPanel user process
# exceeds the time usage set (seconds). To ignore specific processes or users
# use csf.pignore
#
# Set to 0 to disable this feature
PT_USERTIME = “3600”

# If this option is set then processes detected by PT_USERMEM, PT_USERTIME or
# PT_USERPROC are killed
#
# Warning: We don’t recommend enabling this option unless absolutely necessary
# as it can cause unexpected problems when processes are suddenly terminated.
# It can also lead to system processes being terminated which could cause
# stability issues. It is much better to leave this option disabled and to
# investigate each case as it is reported when the triggers above are breached
#
# Note: Processes that are running deleted excecutables (see PT_DELETED) will
# not be killed by lfd
PT_USERKILL = “0”

# If you want to disable email alerts if PT_USERKILL is triggered, then set
# this option to 0
PT_USERKILL_ALERT = “1”

# Check the PT_LOAD_AVG minute Load Average (can be set to 1 5 or 15 and
# defaults to 5 if set otherwise) on the server every PT_LOAD seconds. If the
# load average is greater than or equal to PT_LOAD_LEVEL then an email alert is
# sent. lfd then does not report subsequent high load until PT_LOAD_SKIP
# seconds has passed to prevent email floods.
#
# Set PT_LOAD to “0” to disable this feature
PT_LOAD = “30”
PT_LOAD_AVG = “5”
PT_LOAD_LEVEL = “6”
PT_LOAD_SKIP = “3600”

# If a PT_LOAD event is triggered, then if the following contains the path to
# a script, it will be run in a child process. For example, the script could
# contain commands to terminate and restart httpd, php, exim, etc incase of
# looping processes. The action script must have the execute bit an
# interpreter (shebang) set
PT_LOAD_ACTION = “”

# Port Scan Tracking. This feature tracks port blocks logged by iptables to
# syslog. If an IP address generates a port block that is logged more than
# PS_LIMIT within PS_INTERVAL seconds, the IP address will be blocked.
#
# This feature could, for example, be useful for blocking hackers attempting
# to access the standard SSH port if you have moved it to a port other than 22
# and have removed 22 from the TCP_IN list so that connection attempts to the
# old port are being logged
#
# This feature blocks all iptables blocks from the iptables logs, including
# repeated attempts to one port or SYN flood blocks, etc
#
# Note: This feature will only track iptables blocks from the log file set in
# IPTABLES_LOG below and if you have DROP_LOGGING enabled. However, it will
# cause redundant blocking with DROP_IP_LOGGING enabled
#
# Warning: It’s possible that an elaborate DDOS (i.e. from multiple IP’s)
# could very quickly fill the iptables rule chains and cause a DOS in itself.
# The DENY_IP_LIMIT should help to mitigate such problems with permanent blocks
# and the DENY_TEMP_IP_LIMIT with temporary blocks
#
# Set PS_INTERVAL to “0” to disable this feature. A value of between 60 and 300
# would be sensible to enable this feature
PS_INTERVAL = “300”
PS_LIMIT = “10”

# You can specify the ports and/or port ranges that should be tracked by the
# Port Scan Tracking feature. The following setting is a comma separated list
# of those ports and uses the same format as TCP_IN. The default setting of
# 0:65535,ICMP covers all ports
PS_PORTS = “0:65535,ICMP”

# You can select whether IP blocks for Port Scan Tracking should be temporary
# or permanent. Set PS_PERMANENT to “0” for temporary and “1” for permanent
# blocking. If set to “0” PS_BLOCK_TIME is the amount of time in seconds to
# temporarily block the IP address for
PS_PERMANENT = “0”
PS_BLOCK_TIME = “3600”

# Set the following to “1” to enable Port Scan Tracking email alerts, set to
# “0” to disable them
PS_EMAIL_ALERT = “1”

# Account Tracking. The following options enable the tracking of modifications
# to the accounts on a server. If any of the enabled options are triggered by
# a modifications to an account, an alert email is sent. Only the modification
# is reported. The cause of the modification will have to be investigated
# manually
#
# You can set AT_ALERT to the following:
# 0 = disable this feature
# 1 = enable this feature for all accounts
# 2 = enable this feature only for accounts with uid 0 (e.g. root)
AT_ALERT = “2”

# This options is the interval between checks in seconds
AT_INTERVAL = “60”

# Send alert if a new account is created
AT_NEW = “1”

# Send alert if an existing account is deleted
AT_OLD = “1”

# Send alert if an account password has changed
AT_PASSWD = “1”

# Send alert if an account uid has changed
AT_UID = “1”

# Send alert if an account gid has changed
AT_GID = “1”

# Send alert if an account login directory has changed
AT_DIR = “1”

# Send alert if an account login shell has changed
AT_SHELL = “1”

# Display Country Code and Country for reported IP addresses
CC_LOOKUPS = “1”

# Messenger service. This feature allows the display of a message to a blocked
# connecting IP address to inform the user that they are blocked in the
# firewall. This can help when users get themselves blocked, e.g. due to
# multiple login failures. The service is provided by two daemons running on
# ports providing either an HTML or TEXT message.
#
# This feature does not work on servers that do not have the iptables module
# ipt_REDIRECT loaded. Typically, this will be with MONOLITHIC kernels. VPS
# server admins should check with their VPS host provider that the iptables
# module is included.
#
# For further information on features and limitations refer to the csf
# readme.txt
#
# Note: Run /etc/csf/csftest.pl to check whether this option will function on
# this server
#
# 1 to enable, 0 to disable
MESSENGER = “1”

# Provide this service to temporary IP address blocks
MESSENGER_TEMP = “1”

# Provide this service to permanent IP address blocks
MESSENGER_PERM = “1”

# User account to run the service servers under. We recommend creating a
# specific non-priv, non-shell account for this purpose
MESSENGER_USER = “csf”

# This is the maximum concurrent connections allowed to each service server
MESSENGER_CHILDREN = “20”

# Set this to the port that will receive the HTML message. You should configure
# this port to be >1023 and different from the TEXT port. Do NOT enable access
# to this port in TCP_IN
MESSENGER_HTML = “8888”

# This comma separated list are the HTML ports that will be redirected for the
# blocked IP address. If you are using per application blocking (LF_TRIGGER)
# then only the relevant block port will be redirected to the messenger port
MESSENGER_HTML_IN = “80,2082,2095”

# Set this to the port that will receive the TEXT message. You should configure
# this port to be >1023 and different from the HTML port. Do NOT enable access
# to this port in TCP_IN
MESSENGER_TEXT = “8889”

# This comma separated list are the TEXT ports that will be redirected for the
# blocked IP address. If you are using per application blocking (LF_TRIGGER)
# then only the relevant block port will be redirected to the messenger port
MESSENGER_TEXT_IN = “21”

# These settings limit the rate at which connections can be made to the
# messenger service servers. Its intention is to provide protection from
# attacks or excessive connections to the servers. If the rate is exceeded then
# iptables will revert for the duration to the normal blocking actiity
#
# See the iptables man page for the correct –limit rate syntax
MESSENGER_RATE = “30/m”
MESSENGER_BURST = “5”

# lfd Clustering. This allows the configuration of an lfd cluster environment
# where a group of servers can share blocks and configuration option changes.
# Included are CLI and UI options to send requests to the cluster.
#
# See the readme.txt file for more information and details on setup and
# security risks.
#
# Comma separated list of cluster member IP addresses to send requests to
CLUSTER_SENDTO = “”

# Comma separated list of cluster member IP addresses to receive requests from
CLUSTER_RECVFROM = “”

# If this is a NAT server, set this to the public IP address of this server
CLUSTER_NAT = “”

# If a cluster member should send requests on an IP other than the default IP,
# set it here
CLUSTER_LOCALADDR = “”

# Cluster communication port (must be the same on all member servers). There
# is no need to open this port in the firewall as csf will automatically add
# in and out bound rules to allow communication between cluster members
CLUSTER_PORT = “7777”

# This is a secret key used to encrypt cluster communications using the
# Blowfish algorithm. It should be between 8 and 56 characters long,
# preferably > 20 random characters
# 56 chars:    012345678901234567890123456789012345678901234567890123456
CLUSTER_KEY = “”

# This option allows the enabling and disabling of the Cluster configuration
# changing options –cconfig and –cconfigr for security reasons
#
# For security reasons, we do not recommend leaving this option enabled
CLUSTER_CONFIG = “0”

# Maximum number of child processes to listen on. High blocking rates or large
# clusters may need to increase this
CLUSTER_CHILDREN = “10”

# Statistics
#
# This option enabled statistical data gathering
ST_ENABLE = “1”

# This option determines how many iptables log lines to store for reports
ST_IPTABLES = “100”

# This option indicates whether rDNS and CC lookups are performed at the time
# the log line is recorded (this is not performed when viewing the reports)
#
# Warning: If DROP_IP_LOGGING is enabled and there are frequent iptables hits,
# then enabling this setting could cause serious performance problems
ST_LOOKUP = “0”

# If you find ever increasing numbers of zombie lfd processes you may need to
# revert to the old child reaper code by enabling this option
OLD_REAPER = “0”

# OS settings
IPTABLES = “/sbin/iptables”
MODPROBE = “/sbin/modprobe”
IFCONFIG = “/sbin/ifconfig”
SENDMAIL = “/usr/sbin/sendmail”
PS = “/bin/ps”
VMSTAT = “/usr/bin/vmstat”
LS = “/bin/ls”
MD5SUM = “/usr/bin/md5sum”
TAR = “/bin/tar”
CHATTR = “/usr/bin/chattr”
UNZIP = “/usr/bin/unzip”

# Log files
HTACCESS_LOG = “# Messenger service. This feature allows the display of a message to a blocked # connecting IP address to inform the user that they are blocked in the # firewall. This can help when users get themselves blocked, e.g. due to # multiple login failures. The service is provided by two daemons running on # ports providing either an HTML or TEXT message. # # This feature does not work on servers that do not have the iptables module # ipt_REDIRECT loaded. Typically, this will be with MONOLITHIC kernels. VPS # server admins should check with their VPS host provider that the iptables # module is included. #”
MODSEC_LOG = “/usr/local/apache/logs/error_log”
SSHD_LOG = “/var/log/secure”
SU_LOG = “/var/log/secure”
FTPD_LOG = “/var/log/messages”
SMTPAUTH_LOG = “/var/log/exim_mainlog”
SMTPRELAY_LOG = “/var/log/exim_mainlog”
POP3D_LOG = “/var/log/maillog”
IMAPD_LOG = “/var/log/maillog”
CPANEL_LOG = “/usr/local/cpanel/logs/login_log”
CPANEL_ACCESSLOG = “/usr/local/cpanel/logs/access_log”
SCRIPT_LOG = “/var/log/exim_mainlog”
IPTABLES_LOG = “/var/log/messages”
SUHOSIN_LOG = “/var/log/messages”
BIND_LOG = “/var/log/messages”

CUSTOM1_LOG = “/var/log/messages”
CUSTOM2_LOG = “/var/log/messages”
CUSTOM3_LOG = “/var/log/messages”
CUSTOM4_LOG = “/var/log/messages”
CUSTOM5_LOG = “/var/log/messages”
CUSTOM6_LOG = “/var/log/messages”
CUSTOM7_LOG = “/var/log/messages”
CUSTOM8_LOG = “/var/log/messages”
CUSTOM9_LOG = “/var/log/messages”

# For internal use only. You should not enable this option as it could cause
# instability in csf and lfd
DEBUG = “0”
Firewall Check  Status

Check whether csf is enabled
Check csf is running
Check whether csf is in TESTING mode
Check whether lfd is enabled
Check incoming MySQL port
Check csf SMTP_BLOCK option WARNING This option will help prevent the most common form of spam abuse on a server that bypasses exim and sends spam directly out through port 25. Enabling this option will prevent any web script from sending out using socket connection, such scripts should use the exim or sendmail binary instead
Check csf LF_SCRIPT_ALERT option
Check csf LF_SSHD option
Check csf LF_FTPD option
Check csf LF_SMTPAUTH option
Check csf LF_POP3D option
Check csf LF_IMAPD option
Check csf LF_HTACCESS option
Check csf LF_MODSEC option
Check csf LF_CPANEL option
Check csf LF_CPANEL_ALERT option
Check csf LF_DIRWATCH option
Check csf LF_INTEGRITY option
Check csf PT_SKIP_HTTP option
Check csf PT_ALL_USERS option
Check csf SAFECHAINUPDATE option    WARNING This option closes a window of opportunity that opens when dynamic chain updates occur

Server Check

Check /tmp permissions
Check /tmp ownership
Check /tmp is mounted as a filesystem
Check /tmp is mounted noexec,nosuid
Check /etc/cron.daily/logrotate for /tmp noexec workaround
Check /var/tmp permissions
Check /var/tmp ownership
Check /var/tmp is mounted as a filesystem
Check /var/tmp is mounted noexec,nosuid
Check /usr/tmp permissions
Check /usr/tmp ownership
Check /usr/tmp is mounted as a filesystem or is a symlink to /tmp
Check /dev/shm is mounted noexec,nosuid WARNING /dev/shm is not mounted with the noexec,nosuid options (currently: none). You should modify the mountpoint in /etc/fstab for /dev/shm with those options and remount
Check /etc/named.conf for DNS recursion restrictions
Check /etc/named.conf for DNS random query source port
Check server runlevel
Check nobody cron
Check Operating System support
Check perl version
Check MySQL version
Check MySQL LOAD DATA disallows LOCAL
Check SUPERUSER accounts

SSH/Telnet Check

Check SSHv1 is disabled WARNING You should disable SSHv1 by editing /etc/ssh/sshd_config and setting: Protocol 2
Check SSH on non-standard port
Check SSH PasswordAuthentication    WARNING For ultimate SSH security, you should consider disabling PasswordAuthentication and only allow access using PubkeyAuthentication
Check SSH UseDNS    WARNING You should disable UseDNS by editing /etc/ssh/sshd_config and setting: UseDNS no
Otherwise, lfd will be unable to track SSHD login failures successfully as the log files will not report IP addresses
Check telnet port 23 is not in use
Check shell limits
Check Background Process Killer

Mail Check

Check root forwarder
Check exim for extended logging (log_selector)  WARNING You should enable extended exim logging to enable easier tracking potential outgoing spam issues. Add: log_selector = +arguments +subject +received_recipients
to the first textarea in the Advanced Mode Exim Configuration Editor
Check exim weak SSL/TLS Ciphers (tls_require_ciphers)
Check for maildir conversion
Check Courier IMAP weak SSL/TLS Ciphers (TLS_CIPHER_LIST)
Check Courier POP3D weak SSL/TLS Ciphers (TLS_CIPHER_LIST)
Apache Check    Status  Comment

Apache Check

Check apache version
Check suPHP
Check Suexec
Check apache for mod_security
Check apache for FrontPage  WARNING Microsoft Frontpage Extensions were EOL in 2006 and there is no support for bugs or security issues. For this reason, it should be considered a security risk to continue using them. You should rebuild apache through easyapache and deselect the option to build them
Check apache for RLimitCPU  WARNING You should set a value RLimitCPU to prevent runaway scripts from consuming server resources – DOS exploits can typically do this. A quick way to set this is to use WHM > Modify Apache Memory Usage
Check apache for RLimitMEM  WARNING You should set a value RLimitMEM to prevent runaway scripts from consuming server resources – DOS exploits can typically do this. A quick way to set this is to use WHM > Modify Apache Memory Usage
Check Apache weak SSL/TLS Ciphers (SSLCipherSuite)
Check mod_userdir protection

PHP Check
Check php version (/usr/local/bin/php)  WARNING Any version of PHP (Current: v4.*) older that v5 is obsolete and should be considered a security threat. You should upgrade exclusively to PHP v5
Check php for enable_dl or disabled dl()
Check php for disable_functions
Check php for ini_set disabled  WARNING You should consider adding ini_set to the disable_functions in the PHP configuration as this setting allows PHP scripts to override global security and performance settings for PHP scripts. Adding ini_set can break PHP scripts and commenting out any use of ini_set in such scripts is advised
Check php for register_globals
Check php for Suhosin
Check php open_basedir protection

WHM Settings Check  Status
Check cPanel version
Check cPanel login is SSL only
Check boxtrapper is disabled
Check max emails per hour is set
Check whether users can reset passwords via email
Check whether native cPanel SSL is enabled
Check compilers
Check Anonymous FTP Logins
Check Anonymous FTP Uploads
Check pure-ftpd weak SSL/TLS Ciphers (TLSCipherSuite)
Check FTP Logins with Root Password
Check allow remote domains
Check block common domains
Check allow park domains
Check cPAddons update email to owner
Check cPAddons update email to root
Check package updates
Check security updates
Check cPanel tree
Check melange chat server
Check root/reseller login to users cPanel
Check cPanel php for register_globals
Check cPanel php.ini file for register_globals
Check cPanel passwords in email
Check Coie IP Validation
Check Referrer Blank Security
Check Referrer Security
Check Security Tens
Check Parent Security
Check Domain Loup Security
Check SMTP Tweak
Check nameservers   WARNING At least one of the configured nameservers:
ns1.grafindo.co.id
ns2.grafindo.co.id
should be located in a topologically and geographically dispersed location on the Internet – See RFC 2182 (Section 3.1)

Server Services Check   Status

Check server startup for cups
Check server startup for xfs
Check server startup for atd
Check server startup for nfslock
Check server startup for canna
Check server startup for FreeWnn
Check server startup for cups-config-daemon
Check server startup for iiim
Check server startup for mDNSResponder
Check server startup for nifd
Check server startup for rpcidmapd
Check server startup for bluetooth
Check server startup for anacron
Check server startup for gpm
Check server startup for saslauthd
Check server startup for avahi-daemon
Check server startup for avahi-dnsconfd
Check server startup for hidd
Check server startup for pcscd
Check server startup for sbadm

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s