###############################################################################
# Copyright 2006-2010, Way to the Web Limited
# URL: http://www.configserver.com
# Email: sales@waytotheweb.com
###############################################################################


ConfigServer Security & Firewall
################################

This suite of scripts provides:

   1. A straight-forward SPI iptables firewall script
   2. A daemon process that checks for Login Authentication
   3. A Control Panel configuration interface
   4. ... and much more!

The reason we have developed this suite is that we have found over the years of 
providing server management services that many of the tools available for the
task are either over-complex, not very friendly, or simply aren't as effective
as they could or should be.


This document contains:

1. Introduction

2. csf Principles

3. lfd Principles

4. csf Command Line Options

5. lfd Command Line Options

6. Login Tracking

7. Script Email Alerts

8. Process Tracking

9. Directory Watching

10. Advanced Allow/Deny Filters

11. Multiple Ethernet Devices

12. Installation on a Generic Linux Server

13. A note about FTP Connection Issues

14. Messenger Service

15. Block Reporting

16. Port Flood Protection

17. External Pre- and Post- Scripts


1. Introduction
###############


ConfigServer Firewall (csf)
===========================

We have developed an SPI iptables firewall that is straight-forward, easy and
flexible to configure and secure with extra checks to ensure smooth operation.

csf can be used on any (supported - see the website) generic Linux OS.

The csf installation includes preconfigured configurations and control panel
UI's for cPanel, DirectAdmin and Webmin

Login Failure Daemon (lfd)
==========================

To complement the ConfigServer Firewall, we have developed a daemon process
that runs all the time and periodically (every X seconds) scans the latest log
file entries for login attempts against your server that continually fail
within a short period of time. Such attempts are often called "Brute-force
attacks" and the daemon process responds very quickly to such patterns and
blocks offending IP's quickly. Other similar products run every x minutes via
cron and as such often miss break-in attempts until after they've finished, our
daemon eliminates such long waits and makes it much more effective at
performing its task.

There are an array of extensive checks that lfd can perform to help alert the
server administrator of changes to the server, potential problems and possible
compromises.

On cPanel servers, lfd is integrated into the WHM > Service Manager, which will
restart lfd if it fails for any reason.

Control Panel Interface
=======================

To help with the ease and flexibility of the suite we have developed a
front-end to both csf and lfd for cPanel, DirectAdmin and Webmin. From there
you can modify the configuration files and stop, start and restart the
applications and check their status. This makes configuring and managing the
firewall very simple indeed.

There is also an abbreviated UI for mobile phone access to Quick Allow, Quick
Deny and Remove Deny. Direct URLs:
    cPanel: https://1.2.3.4:2087/cgi/addon_csf.cgi?mobi=1
    DA: https://1.2.3.4:2222/CMD_PLUGINS_ADMIN/csf/index.html?mobi=1
    Webmin: https://1.2.3.4:10000/csf/?mobi=1

There is, of course, a comprehensive Command Line Interface (CLI) for csf.


2. csf Principles
#################

The idea with csf, as with most iptables firewall configurations, is to block 
everything and then allow through only those connections that you want. This is
done in iptables by DROPPING all connections in and out of the server on all 
protocols. Then allow traffic in and out from existing connections. Then open 
ports up in and outgoing for both TCP and UDP individually.

This way we can control exactly what traffic is allowed in and out of the
server and helps protect the server from malicious attack.

In particular it prevents unauthorised access to network daemons that we want
to restrict access by IP address, and also should a service suffer a
compromise, it can help prevent access to compromise networks daemons, a
typical example being a hackers sshd daemon running on a random open port.
Perhaps the greatest of reasons is to help mitigate the effects of suffering a
root compromise where often they only way to take advantage of such a failure
is to open a daemon for the hacker to access the server on. While this won't
prevent root compromises, it can help slow them down enough for you to notice
and react.

Another way that a port filtering firewall can help is when a user level 
compromise occurs and a hacker installs DOS tools to effect other servers. A 
firewall configured to block outgoing connections except on specific ports can
help prevent DOS attacks from working and make it immediately apparent to you 
from the system logs.

csf has been designed to keep this configuration simple, but still flexible 
enough to give you options to suit your server environment. Often firewall 
scripts can become cumbersome of complex making it impossible to identify where
problems lie and to easily fix them.

To take advantage of kernel logging of iptables dropped connections you should
ensure that kernel logging daemon (klogd) is enabled. Typically, VPS servers
have this disabled and you should check /etc/init.d/syslog and make sure that
any klogd lines are not commented out. If you change the file, remember to
restart syslog.


3. lfd Principles
#################

One of the best ways to protect the server from inbound attack against network 
daemons is to monitor their authentication logs. Invalid login attempts which 
happen in a short space of time from the same source can often mean someone is 
attempting to brute-force their way into the server, usually by guessing 
usernames and passwords and therefore generating authentication and login 
failures.

lfd can monitor the most commonly abused protocols, SSHD, POP3, IMAP, FTP and 
HTTP password protection. Unlike other applications, lfd is a daemon process 
that monitors logs continuously and so can react within seconds of detecting 
such attempts. It also monitors across protocols, so if attempts are made on 
different protocols in a short space of time, all those attempts will be
counted against the threshold.

Once the number of failed login attempts is reached, lfd immediately forks a
sub-process and uses csf to block the offending IP address from both in and
outgoing connections. Stopping the attack in its tracks in a quick and timely
manner. Other applications that use cron job timings to run usually completely
miss brute force attacks as they run usually every 5 minutes or by which time
the attack could be over, or simply biding its time. In the meantime lfd will
have block the offenders IP address.

By running the block and alert email actions in a sub-process, the main daemon
can continue monitoring the logs without delay.

If you want to know when lfd blocks an IP address you can enable the email
alert (which is on by default) and you should watch the log file in
/var/log/lfd.log. If you use logcheck, you can add it to your log monitoring
by editing logcheck.sh and adding the line:

$LOGTAIL /var/log/lfd.log >> $TMPDIR/check.$$      

Add it in amongst the other logs that you have selected.


4. csf Command Line Options
###########################

Before configuring and starting csf for the first time, it is a good idea to
run the script /etc/csf/csftest.pl using:

perl /etc/csf/csftest.pl

This script will test whether the required iptables modules are functioning on
the server. Don't worry if it cannot run all the features, so long as the
script doesn't report any FATAL errors.


You can view the csf command line options by using:

# csf -h

Usage: /usr/sbin/csf [option] [value]

Option              Meaning
-h, --help          Show this message
-l, --status        List/Show iptables configuration
-s, --start         Start firewall rules
-f, --stop          Flush/Stop firewall rules
-r, --restart       Restart firewall rules
-a, --add ip        Add an IP address to be whitelisted to /etc/csf.allow
-ar, --addrm ip     Remove an IP address from /etc/csf.allow and delete rule
-d, --deny ip       Add an IP address to be blocked to /etc/csf.deny
-dr, --denyrm ip    Remove and unblock an IP address in /etc/csf.deny
-df, --denyf        Remove and unblock all entries in /etc/csf.deny
-c, --check         Checks for updates to csf+lfd but does not perform an upgrade
-g, --grep ip       Search the iptables rules for an IP match (incl. CIDR)
-t, --temp          Displays the current list of temporary IP bans and their TTL
-tr, --temprm ip    Remove an IP address from the temporary IP ban list
-td, --tempdeny ip ttl [-p port] [-d direction]
                    Add an IP address to the temporary IP ban list. ttl is how
                    long to blocks for in seconds. Optional port. Optional
                    direction of block can be one of in, out or inout. Default
                    is in
-tf, --tempf        Flush all IP addresses from the temporary IP ban list
-m, --mail [addr]   Display Server Check in HTML or email to [addr] if present
-u, --update        Checks for updates to csf+lfd and performs an upgrade if
                    available
-uf                 Forces an update of csf+lfd
-x, --disable       Disable csf and lfd
-e, --enable        Enable csf and lfd if previously disabled
-v, --version       Show csf version

These options allow you to easily and quickly control and view csf. All the 
configuration files for csf are in /etc/csf and include:

csf.conf	- the main configuration file, it has helpful comments explaining
		  what each option does
csf.allow	- a list of IP's and CIDR addresses that should always be allowed 
		  through the firewall
csf.deny	- a list of IP's and CIDR addresses that should never be allowed
		  through the firewall
csf.ignore	- a list of IP's and CIDR addresses that lfd should ignore and not
		  not block if detected
csf.*ignore	- various ignore files that list files, users, IP's that lfd
		  should ignore. See each file for their specific purpose and
		  syntax

If you modify any of the files listed above, you will need to restart csf to 
have them take effect. If you use the command line options to add or deny IP 
addresses, then csf automatically does this for you.

Both csf.allow and csf.deny can have comments after the IP address listed. The
comments must be on the same line as the IP address otherwise the IP rotation
of csf.deny will remove them.

If editing the csf.allow or csf.deny files directly, either from shell or the
WHM UI, you should put a <space>#<space> between the IP address and the comment
like this:

11.22.33.44 # Added because I don't like them

You can also include comments when using the csf -a or csf -d commands, but in
those cases you must not use a # like this:

csf -d 11.22.33.44 Added because I don't like them

If you use the shell commands then each comment line will be timestamped. You
will also find that if lfd blocks an IP address it will add a descriptive
comment plus timestamp.

If you don't want csf to rotate a particular IP in csf.deny if the line limit
is reach you can do so by adding "do not delete" within the comment field,
e.g.:

11.22.33.44 # Added because I don't like them. do not delete


5. lfd Command Line Options
###########################

lfd doesn't have any command line options of its own but is controlled through 
the init script /etc/init.d/lfd which stops and starts the daemon. It is 
configured using the /etc/csf/csf.conf file.

The best way to see what lfd is up to is to take a look in /var/log/lfd.log 
where its activities are logged.

The various email alert templates follow, care should be taken if you
modify that file to maintain the correct format:

/etc/csf/alert.txt - for port blocking emails
/etc/csf/tracking.txt - for POP3/IMAP blocking emails
/etc/csf/connectiontracking.txt - for connection tracking emails
/etc/csf/processtracking.txt - for process tracking alert emails
/etc/csf/usertracking.txt - for user process tracking alert emails
/etc/csf/sshalert.txt - for SSH login emails
/etc/csf/sualert.txt - for SU alert emails
/etc/csf/scriptalert.txt - for script alert emails
/etc/csf/filealert.txt - for suspicious file alert emails
/etc/csf/watchalert.txt - for watched file and directory change alert emails
/etc/csf/loadalert.txt - for high load average alert emails
/etc/csf/resalert.txt - for process resource alert emails
/etc/csf/exploitalert.txt - for system exploit alert emails
/etc/csf/integrityalert.txt - for system integrity alert emails
/etc/csf/relayalert.txt - for email relay alert emails
/etc/csf/portscan.txt - for port scan tracking alert emails
/etc/csf/permblock.txt - for temporary to permanent block alert emails
/etc/csf/netblock.txt - for netblock alert emails
/etc/csf/accounttracking.txt - for account tracking alert emails
/etc/csf/queuealert.txt - for email queue alert emails
/etc/csf/logfloodalert.txt - for log file flooding alert emails
/etc/csf/cpanelalert.txt - for WHM access emails


6. Login Tracking
#################

Login tracking is an extension of lfd, it keeps track of POP3 and IMAP logins
and limits them to X connections per hour per account per IP address. It uses
iptables to block offenders to the appropriate protocol port only and flushes
them every hour and starts counting logins afresh. All of these blocks are
temporary and can be cleared manually by restarting csf.

There are two settings, one of POP3 and one for IMAP logins. It's generally
not a good idea to track IMAP logins as many clients login each time to perform
a protocol transaction (there's no need for them to repeatedly login, but you
can't avoid bad client programming!). So, if you do have a need to have some
limit to IMAP logins, it is probably best to set the login limit quite high.

If you want to know when lfd temporarily blocks an IP address you can enable
the email tracking alerts option (which is on by default)

You can also add your own login failure tracking using regular expression
matching. Please read /etc/csf/regex.custom.pm for more information


7. Script Email Alerts
######################

lfd can scan for emails being sent through exim from scripts on the server.

To use this feature you must add an extended email logging line to WHM >
Exim Configuration Editor > Switch to Advanced Mode > in the first textbox
add the following line:

log_selector = +arguments +subject +received_recipients

If you already already use extended exim logging, then you need to either
include +arguments or use +all

This setting will then send an alert email if more than LF_SCRIPT_LIMIT lines
appear with the same cwd= path in them within an hour. This can be useful in
identifying spamming scripts on a server, especially PHP scripts running
under the nobody account. The email that is sent includes the exim log lines
and also attempts to find scripts that send email in the path that may be the
culprit.

This option uses the /etc/csf/scriptalert text file for alert emails.

If you enable the option LF_SCRIPT_ALERT then lfd will disable the path using
chattr +i and chmod 000 so that the user cannot re-enable it. The alert email
also then includes the commands needed to re-enable the offending path.

Any false-positives can be added to /etc/csf/csf.signore and lfd will then
ignore those listed scripts.

8. Process Tracking
###################

This option enables tracking of user and nobody processes and examines them for
suspicious executables or open network ports. Its purpose is to identify
potential exploit processes that are running on the server, even if they are
obfuscated to appear as system services. If a suspicious process is found an
alert email is sent with relevant information.

It is then the responsibility of the recipient to investigate the process
further as the script takes no further action. Processes (PIDs) are only
reported once unless lfd is restarted.

There is an ignore file /etc/csf/csf.pignore which can be used to whitelist
either usernames or full paths to binaries. Care should be taken with ignoring
users or files so that you don't force false-negatives.

You must use the following format:

exe:/full/path/to/file
user:username
cmd:command line

The command line as reported in /proc has the trailing null character removed
and all other occurrences replaced with a space. So, the line you specify in
the file should have space separators for the command line arguments, not null
characters.

It is strongly recommended that you use command line ignores very carefully
as any process can change what is reported to the OS.

Don't list the paths to perl or php as this will prevent detection of
suspicious web scripts.

For more information on the difference between executable and command line, you
should read and understand how the linux /proc pseudo-filesystem works:

man proc
man lsof

It is beyond the scope of this application to explain how to investigate
processes in the linux /proc architecture.

The email alerts are sent using the processtracking.txt email template.

It should be noted that this feature will not pickup a root compromise as root
processes are ignored - you should use established IDS tools for such security
considerations.

*** NOTE *** You _will_ get false-positives with this particular feature. The
reason for the feature is to bring to your attention processes that have either
been running for a long time under a user account, or that have ports open
outside of your server. You should satisfy yourself that they are indeed false-
positives before either ignoring them or trapping them in the csf.pignore file.

We've done our best to minimise false-positives, but there's a balance between
being cautious and the sensitivity needed to pick up exploits.

The script itself cannot distinguish between malicious intent and intended
script function - that's your job as the server administrator ;-)

The setting PT_SKIP_HTTP does reduce the number of false-positives by not
checking scripts running directly or through CGI in Apache. However, disabling
this setting will make a more thorough job of detecting active exploits of all
varieties.

Another alternative might be to disable PT_SKIP_HTTP and increase PT_LIMIT to
avoid picking up web scripts, however this means that real exploits will run
for longer before they're picked up.

You can, of course, turn the feature off too - if you really want to.


9. Directory Watching
#####################

Directory Watching enables lfd to check /tmp and /dev/shm and other pertinent
directories for suspicious files, i.e. script exploits.

If a suspicious file is found an email alert is sent using the template
filealert.txt.

NOTE: Only one alert per file is sent until lfd is restarted, so if you remove
a suspicious file, remember to restart lfd

To remove any suspicious files found during directory watching, enable
corresponding setting the suspicious files will be appended to a tarball in
/etc/csf/suspicious.tar and deleted from their original location. Symlinks are
simply removed.

If you want to extract the tarball to your current location, use:

tar -xpf /etc/csf/suspicious.tar

This will preserver the path and permissions of the original file.

Any false-positives can be added to /etc/csf/csf.fignore and lfd will then
ignore those listed files and directories.

Within csf.fignore is a list of files that lfd directory watching will ignore.
You must specify the full path to the file

You can also use perl regular expression pattern matching, for example:
/tmp/clamav.*
/tmp/.*\.wrk

Remember that you will need to escape special characters (precede them with a
backslash) such as \. \?

Pattern matching will only occur with strings containing an asterisk (*),
otherwise full file path matching will be applied

You can also add entries to ignore files owner by a particular user by 
preceding it with user:, for example:
user:bob


Note: files owned by root are ignored

For information on perl regular expressions:
http://www.perl.com/doc/manual/html/pod/perlre.html

The second aspect of Directory Watching is enabled with LF_DIRWATCH_FILE. This
option allows you to have lfd watch a particular file or directory for changes
and should they change and email alert using watchalert.txt is sent. It uses a
simple md5sum match from the output of "ls -laAR" on the entry and so will
traverse directories if specified.


10. Advanced Allow/Deny Filters
###############################

In /etc/csf.allow and /etc/csf.deny you can add more complex port and ip
filters using the following format (you must specify a port AND an IP address):

tcp/udp:in/out:s/d=port:s/d=ip:u=uid

Broken down:

tcp/udp  : EITHER tcp OR udp OR icmp protocol
in/out   : EITHER incoming OR outgoing connections
s/d=port : EITHER source OR destination port number (or ICMP type)
           (use a _ for a port range, e.g. 2000_3000)
s/d=ip   : EITHER source OR destination IP address
u/g=UID  : EITHER UID or GID of source packet, implies outgoing connections,
           s/d=IP value is ignored

Note: ICMP filtering uses the "port" for s/d=port to set the ICMP type.
Whether you use s or d is not relevant as either simply uses the iptables
--icmp-type option. Use "iptables -p icmp -h" for a list of valid ICMP types.
Only one type per filter is supported

Examples:

# TCP connections inbound to port 3306 from IP 11.22.33.44
tcp:in:d=3306:s=11.22.33.44

# TCP connections outbound to port 22 on IP 11.22.33.44
tcp:out:d=22:d=11.22.33.44

Note: If omitted, the default protocol is set to "tcp", the default connection
direction is set to "in", so:

# TCP connections inbound to port 22 from IP 44.33.22.11
d=22:s=44.33.22.11

# TCP connections outbound to port 80 from UID 99
tcp:out:d=80::u=99

# ICMP connections inbound for type ping from 44.33.22.11
icmp:in:d=ping:s=44.33.22.11

# TCP connections inbound to port 22 from Dynamic DNS address
# www.configserver.com (for use in csf.dyndns only)
tcp:in:d=22:s=www.configserver.com


11. Multiple Ethernet Devices
#############################

If you have multiple ethernet NICs that you want to apply all rules to, then
you can set ETH_DEVICE to the interface name immediately followed by a plus
sign. For example, eth+ will apply all iptables rules to eth0, eth1, etc.

That said, if you leave ETH_DEVICE blank all rules will be applied to all
ethernet devices equally.


12. Installation on a Generic Linux Server
##########################################

csf+lfd can be configured to run on a generic Linux server. There are some
changes to the features available:

1. The default port range is for a typical non-cPanel web server and may need
   altering to suit the servers environment

2. The Process Tracking ignore file may need expanding in /etc/csf/csf.pignore
   to suit the server environment

3. A standard Webmin Module to configure csf is included - see the install.txt
   for more information

The codebase is the same for a all installations, the csf.conf file simply has
the cPanel specific options removed and the GENERIC option added


13. A note about FTP Connection Issues
######################################

It is important when using an SPI firewall to ensure FTP client applications
are configured to use Passive (PASV) mode connections to the server.

On servers running Monolithic kernels (e.g. VPS Virtuozzo/OpenVZ and custom
built kernels) ip_conntrack and ip_conntrack_ftp iptables kernel modules may
not be available or fully functional. If this happens, FTP passive mode (PASV)
won't work. In such circumstances you will have to open a hole in your firewall
and configure the FTP server to use that same hole.

For example, with pure-ftpd you could add the port range 30000:35000 to TCP_IN
and add the following line to /etc/pure-ftpd.conf and then restart pure-ftpd:
PassivePortRange	30000 35000

For example, with proftpd you could add the port range 30000:35000 to TCP_IN
and add the following line to /etc/proftpd.conf and then restart proftpd:
PassivePorts	30000 35000

FTP over SSL/TLS will usually fail when using an SPI firewall. This is because
of the way the FTP protocol established a connection between client and server.
iptables fails to establish a related connection when using FTP over SSL
because the FTP control connection is encrypted and so cannot track the
relationship between the connection and the allocation of an ephemeral port.

If you need to use FTP over SSL, you will have to open up a passive port block
in both csf and your FTP server configuration (see above).

Perversely, this makes your firewall less secure, while trying to make FTP
connections more secure.


14. Messenger Service
#####################

This feature allows the display of a message to a blocked connecting IP address
to inform the user that they are blocked in the firewall. This can help when
users get themselves blocked, e.g. due to multiple login failures. The service
is provided by two daemons running on ports providing either an HTML or TEXT
message.

This services uses the iptables nat table and the associated PREROUTING chain.
The ipt_REDIRECT module is used to redirect the incoming port to the relevant
messenger service server port.

Temporary and/or permanent (csf.deny) IP addresses can be serviced by this
feature.

It does NOT include redirection of any GLOBAL or BLOCK deny lists.

It does require the IO::Socket::INET perl module.

It does NOT work on servers that do not have the iptables module ipt_REDIRECT
loaded. Typically, this will be with Monolithic kernels. VPS server admins
should check with their VPS host provider that the iptables module is included.

If you change any of the files in /etc/csf/messenger/ you must restart lfd as
they are all cached in memory.

HTML Messenger Server
=====================

The HTML message that is displayed is provided by the file:

/etc/csf/messenger/index.html

The HTML server providing this page is very rudimentary but will accept the use
of linked images that are stored in the /etc/csf/messenger/ directory. The
images must be of either jpg, gif or png format. These images are loaded into
memory so you should keep the number and size to a minimum. No other linked
resource files are supported (e.g. .css, .js).

As the HTML server requires interaction with the client, there is a timer on
the connection to prevent port hogging.

The server has a built-in function that will replace the text [IPADDRESS] in
index.html with the IP address that is blocked by the firewall. This will help
the blocked user know what their blocked IP address is. You can also use the
text [HOSTAME] which will be replaced by the servers FQDN hostname.

The HTML server does not support SSL connections, so redirecting port 443 will
not work.

The HTML server port should not be added to the TCP_IN list.

There is a maximum of 15 port allowed in MESSENGER_HTML_IN.

TEXT Messenger Server
=====================

The TEXT message that is displayed is provided by the file:

/etc/csf/messenger.text

This file should only contain text. The TEXT server providing this file simply
sends the contents to the connecting port and no protocol exchange takes place.
this means that it may not be suitable for use with protocols such as POP3.

The server has a built-in function that will replace the text [IPADDRESS] in
index.text with the IP address that is blocked by the firewall. This will help
the blocked user know what their blocked IP address is. You can also use the
text [HOSTAME] which will be replaced by the servers FQDN hostname.

The TEXT server does not support SSL connections, so redirecting port 995 will
not work.

The TEXT server port should not be added to the TCP_IN list.

There is a maximum of 15 port allowed in MESSENGER_TEXT_IN.

Messenger User
==============

You should create a unique user that the messenger services will run under. 
This user should be disabled and have no shell access.

For example, you can create such an account (in this example called "csf") from
the root shell using:

useradd csf -s /bin/false


15. Block Reporting
###################

lfd can run an external script when it performs and IP address block following
for example a login failure. This is done by setting the configuration variable
BLOCK_REPORT to a script that must be executable. The following parameters are
passed the the script as arguments:

ARG 1 = IP Address	# The IP address or CIDR being blocked
ARG 2 = ports		# Port, comma separated list or * for all ports
ARG 3 = permanent	# 0=temporary block, 1=permanent block
ARG 4 = inout		# Direction of block: in, out or inout
ARG 5 = timeout		# If a temporary block, TTL in seconds, otherwise 0
ARG 6 = message		# Message containing reason for block

lfd launches the BLOCK_REPORT in a forked process which terminates after 10
seconds if not completed by then. It runs under the root account, so great care
should be exercised with regard to security of the BLOCK_REPORT script.


16. Port Flood Protection
#########################

This option configures iptables to offer protection from DOS attacks against
specific ports. This option limits the number of connections per time interval
that new connections can be made to specific ports.

This feature does not work on servers that do not have the iptables module
ipt_recent loaded. Typically, this will be with Monolithic kernels. VPS server
admins should check with their VPS host provider that the iptables module is
included.

By default ipt_recent tracks only the last 100 IP addresses. The tracked IP
addresses can be viewed in /proc/net/ipt_recent/* where the port number is the
filename.

Syntax for the PORTFLOOD setting:

PORTFLOOD is a comma separated list of:
port;protocol;hit count*;interval seconds

So, a setting of PORTFLOOD = "22;tcp;5;300,80;tcp;20;5" means:

1. If more than 5 connections to tcp port 22 within 300 seconds, then block
that IP address from port 22 for at least 300 seconds after the last packet is
seen, i.e. there must be a "quiet" period of 300 seconds before the block is
lifted

2. If more than 20 connections to tcp port 80 within 5 seconds, then block
that IP address from port 80 for at least 5 seconds after the last packet is
seen, i.e. there must be a "quiet" period of 5 seconds before the block is
lifted

More information about the ipt_recent module can be found in the iptables man
page and at http://snowman.net/projects/ipt_recent/

Note: Blocked IP addresses do not appear in any of the iptables chains when
using this module. You must manipulate the /proc/net/ipt_recent/* files as per
the module documentation to view and remove IP addresses that are currently
blocked if the blocks have not yet expired.

Restarting csf resets the ipt_recent tables and removes all of its blocks.

Note: There are some restrictions when using ipt_recent:

1. By default it only tracks 100 addresses per table (we try and increase this
to 1000 via modprobe)

2. By default it only counts 20 packets per address remembered

*This means that you need to keep the hit count to below 20.


17. External Pre- and Post- Scripts
###################################

External commands (e.g. iptables rules not covered by csf) can be run before
and/or after csf sets up the iptables chains and rules.

1. To run external commands before csf configures iptables create the file:

/etc/csf/csfpre.sh

Set that file as executable and add an appropriate shebang interpreter line and
then whatever external commands you wish to execute.

For example:

#!/bin/sh
/some/path/to/binary -a -b -c etc

Then chmod +x /etc/csf/csfpre.sh

2. To run external commands after csf configures iptables create the file:

/etc/csf/csfpost.sh

Set that file as executable and add an appropriate shebang interpreter line and
then whatever external commands you wish to execute.
