Optimal Settings (web, Databse, Security)
Jul 7, 2009
I have the following config:
Centos 4.7 Final
Apache 2.2
PHP 5.2.9 (suphp / suhosin disabled)
MySQL 5
Server: Dual Xeon, 4GB Memory
I'd like input on the most optimal settings overall
php.ini
Quote:
; Memcache Section
extension = memcache.so
memcache.allow_failover = 0
extension="eaccelerator.so"
eaccelerator.shm_size="16"
eaccelerator.cache_dir="/tmp/eaccelerator"
eaccelerator.enable="1"
eaccelerator.optimizer="1"
eaccelerator.check_mtime="1"
eaccelerator.debug="0"
eaccelerator.filter=""
eaccelerator.shm_max="0"
eaccelerator.shm_ttl="0"
eaccelerator.shm_prune_period="0"
eaccelerator.shm_only="0"
eaccelerator.compress="1"
eaccelerator.compress_level="9"
;;;;;;;;;;;;;;;;;;;
; Resource Limits ;
;;;;;;;;;;;;;;;;;;;
max_execution_time = 300
max_input_time = 600
memory_limit = 256M
httpd.conf
Quote:
RLimitMEM 473331029
RLimitCPU 240
ErrorLog logs/error_log
DefaultType text/plain
AddType text/html .shtml
ServerLimit 1000
KeepAlive On
MaxKeepAliveRequests 64
KeepAliveTimeout 1
MinSpareServers 5
MaxSpareServers 15
StartServers 30
MaxClients 850
MaxRequestsPerChild 64
HostnameLookups Off
UseCanonicalName Off
my.cnf
Quote:
[mysqld]
local-infile=0
datadir=/var/lib/mysql
skip-locking
skip-networking
safe-show-database
query_cache_limit=2M
query_cache_size=128M ## 32MB for every 1GB of RAM
query_cache_type=1
max_user_connections=350
max_connections=600
interactive_timeout=10
wait_timeout=28800
connect_timeout=20
thread_cache_size=128
key_buffer=512M ## 128MB for every 1GB of RAM
join_buffer=8M
max_connect_errors=20
max_allowed_packet=32M
table_cache=1024
record_buffer=8M
sort_buffer_size=4M ## 1MB for every 1GB of RAM
read_buffer_size=4M ## 1MB for every 1GB of RAM
read_rnd_buffer_size=4M ## 1MB for every 1GB of RAM
thread_concurrency=8 ## Number of CPUs x 2
myisam_sort_buffer_size=64M
server-id=1
collation-server=latin1_swedish_ci
[mysql.server]
user=mysql
old-passwords = 1
[safe_mysqld]
err-log=/var/log/mysqld.log
pid-file=/var/lib/mysql/mysql.pid
open_files_limit=8192
View 4 Replies
ADVERTISEMENT
Dec 29, 2007
I am in the process of configuring my volumedrive dedicated server and would like some input on ideal settings for my filesystem.
I'd appreciate suggestions and explanations of what they options do.
Here is my system info:
Linux volumedrive.com 2.6.18-53.el5 #1 SMP Mon Nov 12 02:14:55 EST 2007 x86_64 x86_64 x86_64 GNU/Linux
CentOS release 5 (Final)
AMD Sempron64 3000+
1GB RAM
HDD:
Location: SCSI device B
Cylinders: 60801
Size: 465.76 GB
Model: ATA ST3500320AS
Seagate Barracuda 7200.11 ST3500320AS 500GB 7200 RPM
32MB Cache SATA 3.0Gb/s Hard Drive
Parameters I can change:
EXT 3 File System Configuration Options:
Block size
Fragment size
Bytes per inode
Reserved blocks
Journal file size
Edit IDE Parameters
Transfer mode: Default mode / Disable IORDY / PIO mode 1,2,3,4 / Multimode DMA 0,1,2 / Ultra DMA 0,1,2
Using DMA: On/Off
Sector count: 256
Read-lookahead: On/Off
Write caching: On/Off
Interrupt unmask: On/Off
Keep settings over reset: On/Off
Keep features over reset: On/Off
Read only: On/Off
Reprogram best PIO: On/Off
Standby timeout: 0
32-bit I/O support: Disable / Enable / Enable with special sync sequence
Sector count for multiple sector I/O: Disable 2 4 8 16 32
View 0 Replies
View Related
Feb 15, 2009
How I can enable the following options on my VPS:
LF_HTACCESS
PT_SKIP_HTTP
PT_ALL_USERS
View 3 Replies
View Related
Mar 4, 2007
This is my list (from my head) of things to install or do on a webhosting server to enhance security (not in any particualr order):
- rkhunter.
- chkrootkit.
- secure /tmp and similars.
- install mod_security.
- install mod_deflate.
- change ssh port.
- disable root login.
- install and tweak apf.
- install bfd.
- setup logwatch.
- add know "bad" IPs to apd list.
- enforce long and secure passwords.
- syctl.conf Hardening
- Mod_LimitIPConn
- System Integrity Monitor
- System Priority
- Process Resource Monitor
- Port Scan Attack Detection
- In php.ini, disable:
exec,system,passthru,readfile,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open,ini_alter,dl,popen
- Prevent Apache and bind to show their versions.
View 5 Replies
View Related
Aug 30, 2007
Just have some questions regarding server settings and security
1) What will happen if
Open_basedir in php.ini is changed to
Open_basedir = /home:/tmp
?
2) What will happen if all hosted users in passwd file are set to /sbin/nologin ???
Dose it effect running the web site?
What are the effects if
Sync if set to /sbin/nologin default is /bin/sync
shutdown if set to /sbin/nologin default is /sbin/shutdown
halt if set to /sbin/nologin default is /sbin/halt
news if set to /sbin/nologin default is empty
netdump if set to /sbin/nologin default is /bin/bash
Mysql if set to /sbin/nologin default is /bin/bash
mailman if set to /sbin/nologin default is /bin/bash
cpanel if set to /sbin/nologin default is /bin/bash
3) How to make /bin/bash in passwd file is the default path for each new user added (automatically) in cpanel/whm server
4) What is the effect if base64_encode and base64_decode if been added in disable functions?
5) How to secure host.conf and nsswitch.conf to prevent DNS lookup poisoning and also provide protection against spoofs?
6) How to secure the system configuration file sysctl.conf to prevent the TCP/IP stack from syn-flood attacks?
7) What is ClamAV and how to disable it?
View 2 Replies
View Related
Apr 13, 2008
I just purchased a dell poweredge in order to move my website to its own dedicated server. I have a few questions on the best linux partition setup for a webserver. The system has 8 gigs of ram, raid 10 setup with four 15k rpm drives and two quadcore cpu's.
The os is CentOS 5.1
The server can have up to 30,000 uniques in a single day and can be somewhat database intensive.
Does anyone have a recommend partition setup, besides the default?
With 8 gigs of ram, what is the recommend swap? I've seen rules that say anything over 2 gigs of ram, the rule is S = M+2. So that would put me at 10 gigs swap. Is that overkill?
Should i make a seperate partition for log files?
View 4 Replies
View Related
Jul 26, 2007
We have a very small server/network/telecommunications room with one server rack housing 2 racked Dell servers, 2 3com router, 1 switch, 2 UPSes and 2 tower servers.
In addition, our phone system is housed in this room.
The temperature is normally about 77 degrees Fahrenheit. It is a VERY small room and central air does not reach the room. Their is only a portable A/C(I guess its fairly powerful) that we leave on all night and day at its max. However, the temperature stays about a constant 77 degrees.
I read in some articles that the temp should be about 58 degrees Fahrenheit. Is that true?
Is our equipment being damaged by the temperature in the room?
View 2 Replies
View Related
Apr 10, 2009
on the optimal setup for a new clients project. We currently host with eUKhost and have been very happy with them in terms of support. They offer a range of hi-end dedi servers but as with everything in life, cost is an issue.
The 3 servers I am looking at are:
Quad Core Intel Xeon X3360, 2GB Ram, 250Gb Sata, 100Mbit - £170 pm
Quad Core Intel Xeon X3353, 8GB Ram, 2x500Gb Sata, 100Mbit - £260 pm
Dual Quad Core Intel Xeon X5420, 12GB Ram, 2x500Gb Sata, 100Mbit - £419 pm
I know that obviously if money was not an issue, the last server would be the best, but I wonder if this is absolutely necessary for the website. Here are the anticipated site specs....
Portal site with anticipated traffic of around 5,000 visitors online at any one time, searching around 1,000,000 business listings and around 500,000 classifieds ads. Most listings or ads would have multiple pictures on their pages and there will be a reasonable amount of advertising on each page.
My question is whether the system will function adequately with a lesser processor and more Ram, or whether its the processor that gets the database searching speedily.
View 4 Replies
View Related
Apr 4, 2008
I run a web hosting company and one of my servers is a LAMP server running CentOs 5. A user of mine has a Joomla installation running to manage his website and he has run into the following problem that I am puzzled by.
When Joomla adds a component or module to itself, or when a user uses the Joomla upload functionality, Joomla will add the new files under the user name "apache". This makes sense as it is the apache service running PHP that is actually creating the files.
However, when he FTP's into the account to modify these files, he doesn't have the appropriate permissions to do so as he doesn't have a root level login, just permissions on his home directory which is the site. Any help would be much appreciated.
Also, does anyone know how to change the owner/group of a directory and all of its sub directories in Linux without changing the actual permissions? I.e. some of the files in the folder have different permissions (0644 as apposed to 0755) than its parent but if I do a top down user/group change on the folder it will change everything in that folder to 0755.
View 10 Replies
View Related
Jul 1, 2007
how to set up dns correctly as I have been trying for over a day now and not succeeded!
The situation is that I am using whm/cpanel. I have a domain hosted with godaddy that I want to point at my vps space. I have entered the nameservers into godaddy, and it now shows the placeholder page when I go to my domain.
I have set-up a user with ftp access to my main domain in whm, and uploaded an index page to test.
If I type in my domain name it goes to the godaddy placeholder page, if I type in the IP address it goes to an apache 'great success' page, and if I go to the same IP but with the users name added, it goes to the index file I uploaded.
I have played around with dns zones and A records but cannot get the index page to show when I enter my main domain name.
View 7 Replies
View Related
Aug 20, 2007
Does the following setting of PHP look normal in a shared hosting environment?
disable_functions ini_alter,system,passthru,shell_exec,leak,listen,chgrp,apache_setenv,define_syslog_variables,openlog,syslog,ftp_exec ini_alter,system,passthru,shell_exec,leak,listen,chgrp,apache_setenv,define_syslog_variables,openlog,syslog,ftp_exec
View 5 Replies
View Related
Jun 25, 2007
Our business is in the middle of changing to a Exchange based Email Platform which will be take effect in a few months, NOT NOW but planning ahead I'm trying to help with the DNS issues behind the scene. The current Host and Registerar is flarehosting. However I have just transferred the Domain Name to my NAMECHEAP account and need to take over the DNS Controls. I want to make SURE this is done without ANY downtime for the company (website, current email system). After contacting the current host for correct settings I have 3 things I need help with.
newerafinance.com 208.21.164.25 (Used for Domain)
mail.newerafinance.com 208.21.167.4 (Used for WebBased Email AND pop/smtp)
MX is mail2.uploadmysite.com
I was told with the above info I need to setup ARecords, CNAME, and URL Redirect and MX records. Before I try this myself I’d like some help with how this should be setup.
Exchange server will up at a future date so we need the current Email system to remain the same. Half of our users use pop/smtp and other half web based email.
View 0 Replies
View Related
Jan 15, 2008
Now my site online users went more that 200,my max client is 200 now server load slow can i increase the max client to 250,
View 5 Replies
View Related
Jan 29, 2008
I have IIS on my computer and I want to start using a php driven forum (SMF) on my web site. Before I upload the files I need to check the following settings are on:
the engine directive must be On.
the magic_quotes_sybase directive must be set to Off.
the session.save_path directive must be set to a valid directory, or empty.
the file_uploads directive must be On.
the upload_tmp_dir must be set to a valid directory, or empty.
I cant find anywhere within IIS where these directions maybe found. Can anyone point me in the right direction?
View 2 Replies
View Related
Jan 28, 2008
I am being rejected by Hotmail when sending mail from my VPS. I want to send mails from punbb and OSCommerce, with various website hosted on one VPS/Cpanel/LAMP solution. And with sendmail or SMTP, it'a always the same : passing almost every ISP except Hotmail/Gmail. I also always get this part in my email header regardless of which website i'm sending email from :
Code:
Received: from host.locker4adream.com ([74.200.75.7])
by host.locker4adream.com with esmtpa (Exim 4.68)
So I think it's the host.locker4adream.com part that makes me rejected. Because it's almost the only line in the email header that is different when I am using Outlook/Thunderbird to send mail. This ip (74.200.75.7]) is mine and I never spammed or anything.
So i asked my host ro add rDNS. And I added this line to my DNS zone on my mail domain:
Code:
lockeradream TXT "v=spf1 mx a ptr ip4:74.200.75.7/32 ip4:74.200.81.156/32?all"
I am really out of solutions! Can anyone tell me if the SPF record stated above is ok?
View 1 Replies
View Related
Mar 8, 2008
I'm running a pretty large site that brings in about 80k unique each month, what would be a good setting to lower sync floods settings in csf configuration?
View 1 Replies
View Related
Apr 7, 2008
I have a dedicated server and have 5 IP addresses in all.
3 IP addresses i am using already.
I want to give 2 IP address to a site, i have created DNS for that site:
ns1.domainname.com
ns2.domainname.com
for both NS i have given 2 spare IPs.
Now i want to edit the DNS of that domain name, which section i edit of the DNS in WHM and in which field what i write?
View 5 Replies
View Related
Jul 12, 2007
Is there a way to make it only paypal verified people can order?
View 5 Replies
View Related
Jan 19, 2007
I have over 200 bots or whatever they are are simply using over 200 differebt Ips to take down the site and they were sucessful to slow it down but now its working fine but with high loads I installed Dos_deflate and dos_evasive but can someone recmannd me the best dos_evasive settings to prevent these kinds of attacks
View 5 Replies
View Related
Jan 20, 2007
I cannot compile software from source because:
Code:
/usr/bin/uname -p = unknown
/bin/uname -X = unknown
/bin/arch = i686
/usr/bin/arch -k = unknown
/usr/convex/getsysinfo = unknown
hostinfo = unknown
/bin/machine = unknown
/usr/bin/oslevel = unknown
/bin/universe = unknown
PATH: /usr/kerberos/sbin
PATH: /usr/kerberos/bin
PATH: /usr/local/sbin
PATH: /usr/local/bin
PATH: /sbin
PATH: /bin
PATH: /usr/sbin
PATH: /usr/bin
PATH: /usr/X11R6/bin
PATH: /root/bin
View 1 Replies
View Related
Jun 4, 2007
I have bought a dedicated server with FDC servers and installed a script. Initially everything was working fine but now the site is not accessible. Everything is alright with the script installed but looks like there is some issue with the DNS settings. When I ping the IP address (it's dedicated ip address) it gives me an error. When I Ping the domain name, it just closes the window after few mins. Can someone experienced with WHM help me to fix the DNS settings? Of course, I am ready to pay for your help (though i might not have a very higher budget)
View 5 Replies
View Related
Mar 30, 2007
mod_evasive settings?
I cant find out the setting which would ban all bad IPs and will nto ban normal ones.
View 0 Replies
View Related
Sep 17, 2007
I'm having some issues with my vps hosting account. Awstats started showing ebay and yahoo as the most visited sites with that traffic originating from Hong Kong.
access_log has entries like this:
59.40.127.21 - - [07/Sep/2007:01:14:31 -0600] CONNECT 216.39.53.2:25 HTTP/1.1 200 13238
58.61.195.123 - - [17/Sep/2007:04:40:30 -0600] GET [url]HTTP/1.1 200 13216 Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
I contacted support and their response included:
- Most likely what is happening is that someone has mis-configured their computer so that it thinks your site is ebay.
- not malicious, site hits would be in millions if malicious. We can setup filtering if it continues.
Well it continues... and after some testing I find that I can telnet to port 80 to my servers IP with apache stopped and issue a - GET [url] HTTP/1.0 - and get yahoo's site.
This action doesn't show up in my access_log obviously because apache is stopped. So I'm now at the WTF stage. When I try the same thing with apache started and using domain name I get my sites main page but according to the access_log this person in HK is getting something else (different size).
I disabled and updated everything I could through their control panel and nmap shows ports (21,22,25,80,110,143,442,873) open, no UDP. I tried filtering but the HK host is dynamic.
- phpMyAdmin 2.9.2
- MySQL 4.1.9
- perl 5.8.7
- php 5.2.1
- roundcube 0.1.2
Can anyone offer some info as to what might be going on? I'm waiting to hear back from my host but it took them a while last time.
I came to WHT to get some help about what I asked above but kinda got lost reading the endless info on this site. Almost have me convinced that I "need" a dedicated server and I could spin off some hosting biz on the side... :/
View 0 Replies
View Related
Nov 6, 2007
whether if its a good diea to enable these settings for eAccelerator?
eaccelerator.shm_max
eaccelerator.shm_ttl
eaccelerator.shm_prune_period
There are scripts which are accessed once a day and i guess i shoudl set to prune those scripts which arent accessed for a few hours or so?
View 9 Replies
View Related
Sep 29, 2007
1. For a Virtuozzo based VPS of 256MB guaranteed RAM and 512MB burst RAM:
vmguarpages065,5362,147,483,647
= 256MB
privvmpages89,894117,964131,072
= 460MB / 512MB
oomguarpages46,34665,5362,147,483,647
= 256MB
Does the above indicate that the burst is actually up to 460MB or 512MB?
Does it also mean that 256MB is guaranteed even in out of memory situations?
2. For a Virtuozzo based VPS of 512MB guaranteed RAM and no burst RAM:
vmguarpages 0 67,584 2,147,483,647
= 264MB
privvmpages 82,870 131,072 139,264
= 512MB
oomguarpages 37,507 52,224 2,147,483,647
= 204MB
This seems to indicate there is 264MB guaranteed RAM and 512MB burst RAM. But the 204MB does not seem to tie in. Does this indicate that although 264MB is guaranteed, in an out of memory situation, only 204MB is guaranteed?
Does the second example seem right for a 512MB VPS? Or does it seem to be incorrectly setup?
View 5 Replies
View Related
Dec 12, 2006
For some reason some clients including my own test account have not been able to receive emails correctly. Basically if I send email to an external add such as Yahoo, Gmail, AOL etc, they receive them fine. However all incoming mail is blank for all clients? I mean blank as it there is no time or date stamp, no sender details unless you look in the header and the title just displays unknown?
Has anyone an idea why or how this could have happened?
I've even tried these with all spam filters off etc. I think the mail prog is qmail.
View 1 Replies
View Related
Feb 7, 2008
I want to shift my mail to Google Apps (standard version). Currently my DNS is pointed towards 1and1 dedicated servers (having problems with 1and1 mail services). Want to keep hosting with them but change the Email to Google apps.
The Registrar of the domain is Netfirms, Inc.
My current Settings for nameservers in Nefirms CP are:
ns29.1and1.com
ns30.1and1.com
Google Instructed me to verify first by creating a CNAME, which I did in Netfirms control panel.
'googlexxxxx.mydomain.com' Pointing to 'google.com'
DONE.
Google gave me the MX records to enter in the Netfirms panel.
ASPMX.L.GOOGLE.COM
ALT1.ASPMX.L.GOOGLE.COM
DONE.
It's been more than 24 hours, neither MX updated not that CNAME lookup 'googlexxxxx.mydomain.com is propogating.
What I am supposed to do here? I am waiting here for last 24 hours. I think that I have to set up these settings with my registrar (Netfirms) rather than it has to do something with 1and1?
Any suggestions?
View 1 Replies
View Related
Sep 10, 2009
Is there a way in ubuntu 8.10 to have default chmod? everytime someone uploads a file they have to chmod it so that it can be seen/used by the web.
View 5 Replies
View Related
Jun 7, 2008
I use a couple of different hosting companies.
Recently, I've begun setting up blogs.
I've been trying to set up blogs on Company "A" for the past month and have had nothing but problems.
While waiting to hear back - one more time - from tech support on Company "A"
I set up a blog on Company "B". Everything set up perfectly, smoothly and in about 1 hour I had the blog up and running.
I'm using 2.5.1 WPB and plugins that are NOT known to have "issues".
I've used the same themes and plugins on "A" and "B".
I changed permissions on a couple of the plugins (company A) and the plugins just disappeared.
I tried setting up widgets and none work.
if there are specific settings server side that make setting up blogs work/not work?
View 15 Replies
View Related
Sep 6, 2008
I have a problem with my csf setting dunno why now when i start csf i block my server, i come from backup before with same config and working very well dunno why not working in this time.
Code:
###############################################################################
# Copyright 2006, Way to the Web Limited
# URL: http://www.waytotheweb.com
# Email: sales@waytotheweb.com
###############################################################################
# This configuration is for use with generic Linux servers, do not change the
# following setting:
GENERIC = "1"
# Testing flag - enables a CRON job that clears iptables incase of
# configuration problems when you start csf. This should be enabled until you
# are sure that the firewall works - i.e. incase you get locked out of your
# server! Then do remember to set it to 0 and restart csf when you're sure
# everything is OK. Stopping csf will remove the line from /etc/crontab
TESTING = "0"
# The interval for the crontab in minutes. Since this uses the system clock the
# CRON job will run at the interval past the hour and not from when you issue
# the start command. Therefore an interval of 5 minutes means the firewall
# will be cleared in 0-5 minutes from the firewall start
TESTING_INTERVAL = "5"
# Enabling auto updates creates a cron job called /etc/cron.d/csf_update which
# runs once per day to see if there is an update to csf+lfd and upgrades if
# available and restarts csf and lfd. Updates do not overwrite configuration
# files or email templates. An email will be sent to the root account if an
# update is performed
AUTO_UPDATES = "1"
# By default, csf will auto-configure iptables to filter all traffic except on
# the local (lo:) device. If you only want iptables rules applied to a specific
# NIC, then list it here (e.g. eth1, or eth+)
ETH_DEVICE = "venet0"
# If you don't want iptables rules applied to specific NICs, then list them in
# a comma separated list (e.g "eth1,eth2")
ETH_DEVICE_SKIP = ""
# Lists of ports in the following comma separated lists can be added using a
# colon (e.g. 30000:35000).
# Allow incoming TCP ports
TCP_IN = "21,22,25,53,80,110,143,443,993,995,3306,3784,7776:7779,8767,10000,35000:36000,14534,51234,25000:26000,9339,6969"
# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,53,80,110,113,443,953,995,9339,6969,5558,2222"
# Allow incoming UDP ports
UDP_IN = "20,21,53,953,3784,8767,1000"
# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = "20,21,53,113,123,953,1000:3800,6100,6881"
# Allow incoming PING
ICMP_IN = "1"
# Set the per IP address incoming ICMP packet rate
# To disable rate limiting set to "0"
ICMP_IN_RATE = "1/s"
# Allow outgoing PING
ICMP_OUT = "1"
# Set the per IP address outgoing ICMP packet rate
# To disable rate limiting set to "0"
ICMP_OUT_RATE = "1/s"
# If this is a MONOLITHIC kernel (i.e. it has no LKM support, e.g. a VPS) then
# set this to 1. Because of the nature of monolithic kernels, it's not easy to
# determine which modules have been built-in, so some functionality may not be
# available and this firewall script may not work.
#
# One example is if the ip_conntrack and ip_conntrack_ftp iptables kernel
# modules are not available. If this happens, FTP passive mode (PASV) won't
# work. In such circumstances you will have to open a hole in your firewall and
# configure the FTP daemon to use that same hole. For example, with pure-ftpd
# you could add the port range 30000:35000 to TCP_IN and add the following line
# to /etc/pure-ftpd.conf (without the leading #):
# PassivePortRange30000 35000
# Then restart pure-ftpd and csf and passive FTP should then work
MONOLITHIC_KERNEL = "1"
# Drop target for iptables rules. This can be set to either DROP ot REJECT.
# REJECT will send back an error packet, DROP will not respond at all. REJECT
# is more polite, however it does provide extra information to a hacker and
# lets them know that a firewall is blocking their attempts. DROP hangs their
# connection, thereby frustrating attempts to port scan the server.
DROP = "DROP"
# Enable logging of dropped connections to blocked ports to syslog, usually
# /var/log/messages. This option needs to be enabled to use Port Scan Tracking
DROP_LOGGING = "1"
# Enable logging of dropped connections to blocked IP addresses in csf.deny or
# by lfd with temporary connection tracking blocks. Do not enable this option
# if you use Port Scan Tracking
DROP_IP_LOGGING = "0"
# Only log reserved port dropped connections (0:1023). Useful since you're not
# usually bothered about ephemeral port drops
DROP_ONLYRES = "0"
# Commonly blocked ports that you do not want logging as they tend to just fill
# up the log file. These ports are specifically blocked (applied to TCP and UDP
# protocols) for incoming connections
DROP_NOLOG = "67,68,111,113,135:139,445,513,520"
# Enable packet filtering for unwanted or illegal packets
PACKET_FILTER = "1"
# Log packets dropped by the packet filtering option PACKET_FILTER. This will
# show packet drops that iptables has deemed INVALID (i.e. there is no
# established TCP connection in the state table), or if the TCP flags in the
# packet are out of sequence or illegal in the protocol exchange.
#
# If you see packets being dropped that you would rather allow then disable the
# PACKET_FILTER option above by setting it to "0"
DROP_PF_LOGGING = "0"
# Enable SYN flood protection. This option configures iptables to offer some
# protection from tcp SYN packet DOS attempts. You should set the RATE so that
# false-positives are kept to a minimum otherwise visitors may see connection
# issues (check /var/log/messages for *SYNFLOOD Blocked*). See the iptables
# man page for the correct --limit rate syntax
SYNFLOOD = "0"
SYNFLOOD_RATE = "4/s"
# Enable verbose output of iptables commands
VERBOSE = "1"
# Log lfd messages to SYSLOG in addition to /var/log/lfd.log. You must have the
# perl module Sys::Syslog installed to use this feature
SYSLOG = "1"
# If you wish to allow access from dynamic DNS records (for example if your IP
# address changes whenever you connect to the internet but you have a dedicated
# dynamic DNS record from the likes of dyndns.org) then you can list the FQDN
# records in csf.dyndns and then set the following to the number of seconds to
# poll for a change in the IP address. If the IP address has changed iptables
# will be updated.
#
# A setting of 600 would check for IP updates every 10 minutes. Set the value
# to 0 to disable the feature
DYNDNS = "0"
# Limit the number of IP's kept in the /etc/csf/csf.deny file. This can be
# important as a large number of IP addresses create a large number of iptables
# rules (4 times the number of IP's) which can cause problems on some systems
# where either the the number of iptables entries has been limited (esp VPS's)
# or where resources are limited. This can result in slow network performance,
# or, in the case of iptables entry limits, can prevent your server from
# booting as not all the required iptables chain settings will be correctly
# configured. The value set here is the maximum number of IPs/CIDRs allowed
# if the limit is reached, the entries will be rotated so that the oldest
# entries (i.e. the ones at the top) will be removed and the latest is added.
# The limit is only checked when using csf -d (which is what lfd also uses)
# Set to 0 to disable limiting
DENY_IP_LIMIT = "100"
# Limit the number of IP's kept in the temprary IP ban list. If the limit is
# reached the oldest IP's in the ban list will be removed and allowed
# regardless of the amount of time remaining for the block
# Set to 0 to disable limiting
DENY_TEMP_IP_LIMIT = "100"
# Temporary to Permanent IP blocking. The following enables this feature to
# permanently block IP addresses that have been temporarily blocked
# LF_PERMBLOCK_COUNT times in the last LF_PERMBLOCK_INTERVAL seconds. Set
# LF_PERMBLOCK to "1" to enable this feature
#
# Care needs to be taken when setting LF_PERMBLOCK_INTERVAL as it needs to be
# at least LF_PERMBLOCK_COUNT multiplied by the longest temporary time setting
# (TTL) for blocked IPs, to be effective
#
# Set LF_PERMBLOCK to "0" to disable this feature
LF_PERMBLOCK = "0"
LF_PERMBLOCK_INTERVAL = "86400"
LF_PERMBLOCK_COUNT = "4"
# Permanently block IPs by network class. The following enables this feature
# to permanently block classes of IP address where individual IP addresses
# within the same class LF_NETBLOCK_CLASS have already been blocked
# LF_NETBLOCK_COUNT times in the last LF_NETBLOCK_INTERVAL seconds. Set
# LF_NETBLOCK to "1" to enable this feature
#
# This can be an affective way of blocking DDOS attacks launched from within
# the same networ class
#
# Valid settings for LF_NETBLOCK_CLASS are "A", "B" and "C", care and
# consideration is required when blocking network classes A or B
#
# Set LF_NETBLOCK to "0" to disable this feature
LF_NETBLOCK = "0"
LF_NETBLOCK_INTERVAL = "86400"
LF_NETBLOCK_COUNT = "4"
LF_NETBLOCK_CLASS = "C"
# The follow Global options allow you to specify a URL where csf can grab a
# centralised copy of an IP allow or deny block list of your own. You need to
# specify the full URL in the following options, i.e.:
# http://www.somelocation.com/allow.txt
#
# The actual retrieval of these IP's is controlled by lfd, so you need to set
# LF_GLOBAL to the interval (in seconds) when you want lfd to retrieve. lfd
# will perform the retrieval when it runs and then again at the specified
# interval. A sensible interval would probably be every 3600 seconds (1 hour)
#
# You do not have to specify both an allow and a deny file
#
# You can also configure a global ignore file for IP's that lfd should ignore
GLOBAL_ALLOW = ""
GLOBAL_DENY = ""
GLOBAL_IGNORE = ""
LF_GLOBAL = ""
# Enable login failure detection daemon (lfd). If set to 0 none of the other LF
# settings have any effect as the daemon won't start.
# When the trigger level of failures is reached lfd will use csf to add the IP
# to the /etc/csf/csf.deny file and block it
LF_DAEMON = "1"
# The following[*] triggers are application specific. If you set LF_TRIGGER to
# "0" the value of each trigger is the number of failures against that
# application that will trigger lfd to block the IP address
#
# If you set LF_TRIGGER to a value greater than "0" then the following[*]
# application triggers are simply on or off ("0" or "1") and the value of
# LF_TRIGGER is the total cumulative number of failures that will trigger lfd
# to block the IP address
#
# Setting the application trigger to "0" disables it
LF_TRIGGER = "0"
# If LF_TRIGGER is > 1 then the following can be set to "1" to permanently
# block the IP address, or if set to a value greater than "1" then the IP
# address will be blocked temporarily for the value in seconds. For example:
# LF_TRIGGER = "1" => the IP is blocked permanently
# LF_TRIGGER = "3600" => the IP is blocked temporarily for 1 hour
#
# If LF_TRIGGER is 0, then the application LF_[application]_PERM value works in
# the same way as above
LF_TRIGGER_PERM = "1"
# To only block access to the failed application instead of a complete block
# for an ip address, you can set the following to "1", but LF_TRIGGER must be
# set to "0" with specific application[*] trigger levels also set
LF_SELECT = "0"
#[*]Enable login failure detection of sshd connections
LF_SSHD = "5"
LF_SSHD_PERM = "1"
#[*]Enable login failure detection of pure-ftpd connections
LF_FTPD = "10"
LF_FTPD_PERM = "1"
#[*]Enable login failure detection of SMTP AUTH connections
LF_SMTPAUTH = "5"
LF_SMTPAUTH_PERM = "1"
#[*]Enable login failure detection of courier pop3 connections. This will not
# trap the older cppop daemon
LF_POP3D = "10"
LF_POP3D_PERM = "1"
#[*]Enable login failure detection of courier imap connections. This will not
# trap the older cpimap (uwimap) daemon
LF_IMAPD = "10"
LF_IMAPD_PERM = "1"
#[*]Enable login failure detection of Apache .htpasswd connections
# Due to the often high logging rate in the Apache error log, you might want to
# enable this option only if you know you are suffering from attacks against
# password protected directories
LF_HTACCESS = "5"
LF_HTACCESS_PERM = "1"
#[*]Enable failure detection of Apache mod_security connections
# Due to the often high logging rate in the Apache error log, you might want to
# enable this option only if you know you are suffering from attacks against
# web scripts
LF_MODSEC = "5"
LF_MODSEC_PERM = "1"
#[*]Enable detection of suhosin triggers and blocking of attackers
# Example: LF_SUHOSIN = "5"
LF_SUHOSIN = "0"
LF_SUHOSIN_PERM = "1"
# Check that csf appears to have been stopped. This checks the status of the
# iptables INPUT chain. If it's not set to DROP, LF will run csf. This will not
# happen if TESTING is enabled above. The check is done every 300 seconds
LF_CSF = "1"
# Send an email alert if anyone logs in successfully using SSH
LF_SSH_EMAIL_ALERT = "1"
# Send an email alert if anyone uses su to access another account. This will
# send an email alert whether the attempt to use su was successful or not
LF_SU_EMAIL_ALERT = "1"
# Enable Directory Watching. This enables lfd to check /tmp and /dev/shm
# directories for suspicious files, i.e. script exploits. If a suspicious
# file is found an email alert is sent. Only one alert per file is sent until
# lfd is restarted, so if you remove a suspicious file, remember to restart lfd
#
# To enable this feature set the following to the checking interval in seconds.
# Set to disable set to "0"
LF_DIRWATCH = "60"
# To remove any suspicious files found during directory watching, enable the
# following. These files will be appended to a tarball in
# /etc/csf/suspicious.tar
LF_DIRWATCH_DISABLE = "0"
# This option allows you to have lfd watch a particular file or directory for
# changes and should they change and email alert using watchalert.txt is sent
#
# To enable this feature set the following to the checking interval in seconds
# (a value of 60 would seem sensible) and add your entries to csf.dirwatch
#
# Set to disable set to "0"
LF_DIRWATCH_FILE = "0"
# This is the interval that is used to flush reports of usernames, files and
# pids so that persistent problems continue to be reported, in seconds.
# A value of 3600 seems sensible
LF_FLUSH = "3600"
# System Integrity Checking. This enables lfd to compare md5sums of the
# servers OS binary application files from the time when lfd starts. If the
# md5sum of a monitored file changes an alert is sent. This option is intended
# as an IDS (Intrusion Detection System) and is the last line of detection for
# a possible root compromise.
#
# There will be constant false-positives as the servers OS is updated or
# monitored application binaries are updated. However, unexpected changes
# should be carefully inspected.
#
# Modified files will only be reported via email once.
#
# To enable this feature set the following to the checking interval in seconds
# (a value of 3600 would seem sensible). This option may pur an increased I/O
# load onto the server as it checks system binaries.
#
# To disable set to "0"
LF_INTEGRITY = "3600"
# System Exploit Checking. This enables lfd to check for the Random JS Toolkit
# and may check for others in the future:
# http://www.cpanel.net/security/notes/random_js_toolkit.html
# It compares md5sums of the binaries listed in the exploit above for changes
# and also attempts to create and remove a number directory
#
# Modified files will only be reported via email once, though will be reset
# after an hour
#
# To enable this feature set the following to the checking interval in seconds
# (a value of 300 would seem sensible).
#
# To disable set to "0"
LF_EXPLOIT = "300"
# This comma separated list allows you to (de)select which tests LF_EXPLOIT
# performs
#
# For the SUPERUSER check, you can list usernames in csf.suignore to have them
# ignored for that test
#
# Valid tests are:
# JS,SUPERUSER
LF_EXPLOIT_CHECK = "JS,SUPERUSER"
# Set the time interval to track login failures within (seconds), i.e.
# LF_TRIGGER failures within the last LF_INTERVAL seconds
LF_INTERVAL = "300"
# Set the log file parsing interval (seconds). This is how long the daemon
# sleeps before processing the log file entries since the last scan finished
LF_PARSE = "5"
# Send an email alert if an IP address is blocked
LF_EMAIL_ALERT = "1"
# Send an email alert if an account exceeds LT_POP3D/LT_IMAPD logins per hour
# per IP
LT_EMAIL_ALERT = "1"
# Block POP3 logins if greater than LT_POP3D times per hour per account per IP
# address (0=disabled)
LT_POP3D = "15"
# Block IMAP logins if greater than LT_IMAPD times per hour per account per IP
# address (0=disabled) - not recommended for IMAP logins due to the ethos
# within which IMAP works. If you want to use this, setting it quite high is
# probably a good idea
LT_IMAPD = "0"
# Enable IP range blocking using the DShield Block List at
# http://www.dshield.org/block_list_info.php
# To enable this feature, set the following to the interval in seconds that you
# want the block list updated. The list is reasonably static during the length
# of a day, so it would be appropriate to only update once every 24 hours, so
# a value of "86400" is recommended
LF_DSHIELD = "86400"
# The DShield block list URL. If you change this to something else be sure it
# is in the same format as the block list
LF_DSHIELD_URL = "http://feeds.dshield.org/block.txt"
# Enable IP range blocking using the Spamhaus DROP List at
# http://www.spamhaus.org/drop/index.lasso
# To enable this feature, set the following to the interval in seconds that you
# want the block list updated. The list is reasonably static during the length
# of a day, so it would be appropriate to only update once every 24 hours, so
# a value of "86400" is recommended
LF_SPAMHAUS = "86400"
# The Spamhaus DROP List URL. If you change this to something else be sure it
# is in the same format as the drop list
LF_SPAMHAUS_URL = "http://www.spamhaus.org/drop/drop.lasso"
# Enable IP range blocking using the BOGON List at
# http://www.cymru.com/Bogons/
# To enable this feature, set the following to the interval in seconds that you
# want the block list updated. The list is reasonably static during the length
# of a day, so it would be appropriate to only update once every 24 hours, so
# a value of "86400" is recommended
#
# Do NOT use this option if your server uses IP's on the bogon list (e.g. this
# is often the case with servers behind a NAT firewall using ip routing)
LF_BOGON = "0"
# The BOGON List URL. If you change this to something else be sure it
# is in the same format as the drop list
LF_BOGON_URL = "http://www.cymru.com/Documents/bogon-bn-agg.txt"
# Connection Tracking. This option enables tracking of all connections from IP
# addresses to the server. If the total number of connections is greater than
# this value then the offending IP address is blocked. This can be used to help
# prevent some types of DOS attack.
#
# Care should be taken with this option. It's entirely possible that you will
# see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD
# and HTTP so it could be quite easy to trigger, especially with a lot of
# closed connections in TIME_WAIT. However, for a server that is prone to DOS
# attacks this may be very useful. A reasonable setting for this option might
# be arround 200.
#
# To disable this feature, set this to 0
CT_LIMIT = "200"
# Connection Tracking interval. Set this to the the number of seconds between
# connection tracking scans. Don't set this too low or you will affect server
# performance as lfd runs netstat each time to determine the connections
CT_INTERVAL = "60"
# Send an email alert if an IP address is blocked due to connection tracking
CT_EMAIL_ALERT = "1"
# If you want to make IP blocks permanent then set this to 1, otherwise blocks
# will be temporary and will be cleared periodically or whenever the firewall
# is restarted
CT_PERMANENT = "0"
# If you opt for temporary IP blocks for CT, then the following is the interval
# in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)
CT_BLOCK_TIME = "3200"
# If you don't want to count the TIME_WAIT state against the connection count
# then set the following to "1"
CT_SKIP_TIME_WAIT = "0"
# If you only want to ount specific states (e.g. SYN_RECV) then add the states
# to the following as a comma separated list. E.g. "SYN_RECV,TIME_WAIT"
#
# Leave this option empty to count all states against CT_LIMIT
CT_STATES = ""
# Process Tracking. This option enables tracking of user and nobody processes
# and examines them for suspicious executables or open network ports. Its
# purpose is to identify potential exploit processes that are running on the
# server, even if they are obfuscated to appear as system services. If a
# suspicious process is found an alert email is sent with relevant information.
# It is then the responsibility of the recipient to investigate the process
# further as the script takes no further action. Processes (PIDs) are only
# reported once unless lfd is restarted.
#
# The following is the number of seconds a process has to be active before it
# is inspected. If you set this time too low, then you will likely trigger
# false-positives with CGI or PHP scripts.
# Set the value to 0 to disable this feature
PT_LIMIT = "60"
# How frequently processes are checked in seconds
PT_INTERVAL = "60"
# If you want process tracking to highlight php or perl scripts that are run
# through apache for greater than PT_LIMIT seconds then disable the following,
# i.e. set it to 0
#
# While enabling this setting will reduce false-positives, having it set to 0
# does provide better checking for exploits running on the server
PT_SKIP_HTTP = "1"
# User Process Tracking. This option enables the tracking of the number of
# process any given linux account is running at one time. If the number of
# processes exceeds the value of the following setting an email alert is sent
# with details of those processes. A user is only reported once, so lfd must be
# restarted to reinstate checking of all users. If you specify a user in
# csf.pignore it will be ignored
#
# Set to 0 to disable this feature
PT_USERPROC = "10"
# This User Process Tracking option sends an alert if any linux user process
# exceeds the memory usage set (MB). To ignore specific processes or users use
# csf.pignore
#
# Set PT_USERKILL to have lfd kill off the process
#
# Set to 0 to disable this feature
PT_USERMEM = "100"
# This User Process Tracking option sends an alert if any linux user process
# exceeds the time usage set (seconds). To ignore specific processes or users
# use csf.pignore
#
# Set PT_USERKILL to have lfd kill off the process
#
# Set to 0 to disable this feature
PT_USERTIME = "3200"
# If this option is set then processes detected by PT_USERMEM or PT_USERTIME
# or PT_USERPROC are killed
PT_USERKILL = "0"
# Check the PT_LOAD_AVG minute Load Average (can be set to 1 5 or 15 and
# defaults to 5 if set otherwise) on the server every PT_LOAD seconds. If the
# load average is greater than or equal to PT_LOAD_LEVEL then an email alert is
# sent. lfd then does not report subsequent high load until PT_LOAD_SKIP
# seconds has passed to prevent email floods.
#
# Set PT_LOAD to "0" to disable this feature
PT_LOAD = "30"
PT_LOAD_AVG = "5"
PT_LOAD_LEVEL = "6"
PT_LOAD_SKIP = "3600"
# If a PT_LOAD event is triggered, then if the following contains the path to
# a script, it will be run in a child process. For example, the script could
# contain commands to terminate and restart httpd, php, exim, etc incase of
# looping processes
PT_LOAD_ACTION = ""
# Port Scan Tracking. This feature tracks port blocks logged by iptables to
# syslog. If an IP address generates a port block that is logged more than
# PS_LIMIT within PS_INTERVAL seconds, the IP address will be blocked.
#
# This feature could, for example, be useful for blocking hackers attempting
# to access the standard SSH port if you have moved it to a port other than 22
# and have removed 22 from the TCP_IN list so that connection attempts to the
# old port are being logged
#
# This feature blocks all iptables blocks from the iptables logs, including
# repeated attempts to one port or SYN flood blocks, etc
#
# Note: This feature will only track iptables blocks from the log file set in
# IPTABLES_LOG below and if you have DROP_LOGGING enabled. However, it will
# cause redundant blocking with DROP_IP_LOGGING enabled
#
# Warning: It's possible that an elaborate DDOS (i.e. from multiple IP's)
# could very quickly fill the iptables rule chains and cause a DOS in itself.
# The DENY_IP_LIMIT should help to mitigate such problems with permanent blocks
# and the DENY_TEMP_IP_LIMIT with temporary blocks
#
# Set PS_INTERVAL to "0" to disable this feature. A value of between 60 and 300
# would be sensible to enable this feature
PS_INTERVAL = "0"
PS_LIMIT = "10"
# You can specify the ports and/or port ranges that should be tracked by the
# Port Scan Tracking feature. The following setting is a comma separated list
# of those ports and uses the same format as TCP_IN. The default setting of
# 0:65535 covers all ports
PS_PORTS = "0:65535"
# You can select whether IP blocks for Port Scan Tracking should be temporary
# or permanent. Set PS_PERMANENT to "0" for temporary and "1" for permanent
# blocking. If set to "0" PS_BLOCK_TIME is the amount of time in seconds to
# temporarily block the IP address for
PS_PERMANENT = "0"
PS_BLOCK_TIME = "3600"
# Set the following to "1" to enable Port Scan Tracking email alerts, set to
# "0" to disable them
PS_EMAIL_ALERT = "1"
View 9 Replies
View Related
Jun 4, 2008
I just installed a new version of CSF again on my server.
Based on the article and tutorial that I read, I do not have to change anything much on the csf.conf if I am installing it for WHM/Cpanel server.
I notice new version 3.33 has new function such as synflood and so on, can someone tell me if I need to change any settings inside my csf.conf other than disabling the testing = 0 on a fresh new cpanel server?
View 3 Replies
View Related
