Some useful tweak settings on CSF Configuration File
IP Limit in Permanent “Deny” File
DENY_IP_LIMIT = “200”
A higher number here will obviously screen out more IP addresses in csf.deny.
IP Limit in Temporary “Deny” File
DENY_TEMP_IP_LIMIT = “100”
Similar to DENY_IP_LIMIT, the DENY_TEMP_IP_LIMIT represents the maximum number of IPs that can be stored in the temporary ban list.
SMTP_BLOCK = “0”
When set to “1″, SMTP_BLOCK does not completely block outbound SMTP, but it does block it for most users. This will prevent malicious scripts and compromised users from making outbound connections from unauthorized mail clients on the server. SMTP_BLOCK doesn’t stop those scripts from running, but it does stop them from functioning. Mail sent through the proper channels will still be delivered normally.
Allowing SMTP on localhost
SMTP_ALLOWLOCAL = “1”
Custom Mail Port Designation
SMTP_PORTS = “25,465,587”
Allowing SMTP Access to Users/Groups
SMTP_ALLOWUSER = “”
SMTP_ALLOWGROUP = “mail,mailman”
SYN Flood Protection
SYNFLOOD = “0”
SYNFLOOD_RATE = “100/s”
SYNFLOOD_BURST = “150”
Per the documentation, you should only enable SYN flood protection (SYNFLOOD= “1″) if you are currently under a SYN flood attack.
Concurrent Connections Limit
CONNLIMIT = “22;5,80;20”
PORTFLOOD = “22;tcp;5;300,80;tcp;20;5
These options allow you to add customized DoS protection. CONNLIMIT handles the number of concurrent connections, and in this example, we’re limiting port 22 to 5 connections and port 80 to 20 connections.
Dropping v. Rejecting Packets
DROP = “DROP”
This configuration allows you to either DROP or REJECT packets. REJECT tells the sender that the packet has been blocked by the firewall. DROP just drops the packet and does not send a response. I like DROP better for regular use, but REJECT might be more helpful if you need to diagnose a connectivity issue.
Logging Dropped Connections
DROP_LOGGING = “1”
This option logs dropped connections to syslog. I don’t see any reason to turn this off unless your hard drive is getting full.
LF_SPAMHAUS = “0”
This option enables the SPAMHAUS blocklist. Specify the number of seconds between refreshes. Recommended setting is 86400 (1 day).
Blocking TOR Exit IP Addresses
LF_TOR = “0”
Enabling this option will block TOR exit IP addresses. If you are not familiar with TOR, it is a completely anonymous proxy network. This could block some legitimate users who are trying to protect their anonymity, so I would recommend only turning this on if you are already under attack from a TOR exit address.
Blocking Bogon Addresses
LF_BOGON = “0”
LF_BOGON_URL = “http://www.cymru.com/Documents/bogon-bn-agg.txt”
LF_BOGON_SKIP = “”
Blocking bogon addresses (addresses that should not be possible) is usually a good decision. To enable, set the number of seconds between refreshes. I recommend enabling this option and setting the refresh at 86400 (1 day). If you do so, be sure to add your private network adapters to the skip list.
Country-Specific Access to Your Server
CC_DENY = “”
CC_ALLOW = “”
With these options, you can block or allow entire countries from accessing your server. To do so, enter the country codes in a comma separated list.
CC_ALLOW_FILTER = “”
Alternatively, you can set your server to exclusively accept traffic from a list of country codes. All other countries not listed will have their traffic dropped.
Blocking Login Failures
LF_TRIGGER = “0”
This enables blocking of login failures (per service). There are a lot of great customization options in this section.
Scanning Directories for Malicious Files
LF_DIRWATCH = “300”
This feature scans /tmp and /dev/shm for potentially malicious files and alerts you to their presence based on the interval you designate. You can also have CSF automatically quarantine malicious files with this option:
LF_DIRWATCH_DISABLE = “0”
Distributed Attack Protection
LF_DISTATTACK = “0”
By enabling this option, you activate additional protection against distributed attacks.
Blocking Based on Abusive Email Usage
LT_POP3D = “0”
LT_IMAPD = “0”
If a user checks email too many times per hour (more than the non-zero value specified), the user’s IP address is blocked.
Blocking IP Addresses Based on Number of Connections
CT_LIMIT = “0”
This feature tracks connections and blocks the IP if the number of connections is too high. Use caution because if you enable this option and set this value too low, it will block legitimate traffic.
PT_LIMIT = “60”
This feature provides application level protection against malicious scripts that take a long time to execute.
Blocking Port Scanners
PS_INTERVAL = “300”
PS_LIMIT = “10”