diff --git a/.etckeeper b/.etckeeper index 6e8f43d..1dbe0e8 100755 --- a/.etckeeper +++ b/.etckeeper @@ -37,6 +37,11 @@ mkdir -p './glances' mkdir -p './glvnd/egl_vendor.d' mkdir -p './gnupg' mkdir -p './groff/site-font' +mkdir -p './imunify360-webshield/webshield-backend.conf.d' +mkdir -p './imunify360-webshield/webshield-captcha.conf.d' +mkdir -p './imunify360-webshield/webshield-server.conf.d' +mkdir -p './imunify360-webshield/webshield-splashscreen.conf.d' +mkdir -p './imunify360/user_config' mkdir -p './incron.d' mkdir -p './java/security/security.d' mkdir -p './jvm' @@ -261,6 +266,13 @@ maybe chmod 0644 'bashrc' maybe chmod 0644 'bashrc.rpmnew' maybe chmod 0644 'bindresvport.blacklist' maybe chmod 0755 'binfmt.d' +maybe chmod 0755 'cagefs' +maybe chmod 0755 'cagefs/conf.d' +maybe chmod 0600 'cagefs/conf.d/ai-bolit.cfg' +maybe chmod 0600 'cagefs/conf.d/pd-i360.cfg' +maybe chmod 0600 'cagefs/conf.d/phpi360.cfg' +maybe chmod 0755 'cagefs/exclude' +maybe chmod 0600 'cagefs/exclude/imunify360' maybe chmod 0644 'cczerc' maybe chmod 0755 'chkconfig.d' maybe chmod 0644 'chrony.conf' @@ -268,6 +280,11 @@ maybe chmod 0644 'chrony.conf.rpmnew' maybe chgrp 'chrony' 'chrony.keys' maybe chmod 0640 'chrony.keys' maybe chmod 0755 'cifs-utils' +maybe chmod 0755 'cl.selector' +maybe chmod 0644 'cl.selector/php.extensions.conflicts' +maybe chmod 0755 'cl.selector/php.extensions.d' +maybe chmod 0644 'cl.selector/php.extensions.d/i360.cfg' +maybe chmod 0644 'cl.selector/selector.conf' maybe chown 'amavis' 'clamav-unofficial-sigs' maybe chgrp 'amavis' 'clamav-unofficial-sigs' maybe chmod 0755 'clamav-unofficial-sigs' @@ -306,6 +323,8 @@ maybe chgrp 'amavis' 'clamd.d/scan.conf.rpmsave' maybe chmod 0644 'clamd.d/scan.conf.rpmsave' maybe chmod 0755 'cloud' maybe chmod 0644 'cloud/cloud.cfg.rpmsave' +maybe chmod 0755 'cloudlinux-backup' +maybe chmod 0644 'cloudlinux-backup/mysql_freeze.config' maybe chmod 0755 'cockpit' maybe chmod 0755 'cockpit/ws-certs.d' maybe chmod 0644 'cockpit/ws-certs.d/0-self-signed-ca.pem' @@ -319,13 +338,22 @@ maybe chmod 0644 'cron.d/0hourly' maybe chmod 0644 'cron.d/clamav-unofficial-sigs' maybe chmod 0644 'cron.d/csf-cron' maybe chmod 0600 'cron.d/csf_update' +maybe chmod 0644 'cron.d/imunify-antivirus' +maybe chmod 0644 'cron.d/imunify-notifier' +maybe chmod 0644 'cron.d/imunify360' +maybe chmod 0644 'cron.d/imunify360-webshield-check' maybe chmod 0644 'cron.d/lfd-cron' maybe chmod 0644 'cron.d/maldet_pub' +maybe chmod 0644 'cron.d/shrinker-cron' maybe chmod 0755 'cron.daily' +maybe chmod 0755 'cron.daily/cloudlinux-backup-utils' maybe chmod 0700 'cron.daily/csget' maybe chmod 0755 'cron.daily/etckeeper' +maybe chmod 0755 'cron.daily/imunify-antivirus.cron' +maybe chmod 0755 'cron.daily/imunify360.cron' maybe chmod 0755 'cron.daily/logrotate' maybe chmod 0755 'cron.daily/maldet' +maybe chmod 0755 'cron.daily/ossec_logs_cleaner' maybe chmod 0755 'cron.daily/rkhunter' maybe chmod 0644 'cron.deny' maybe chmod 0755 'cron.hourly' @@ -356,6 +384,7 @@ maybe chmod 0600 'csf/csf.blocklists' maybe chmod 0600 'csf/csf.blocklists.new' maybe chmod 0600 'csf/csf.cloudflare' maybe chmod 0600 'csf/csf.conf' +maybe chmod 0600 'csf/csf.conf.i360bak' maybe chmod 0600 'csf/csf.deny' maybe chmod 0600 'csf/csf.dirwatch' maybe chmod 0600 'csf/csf.dyndns' @@ -382,6 +411,7 @@ maybe chmod 0600 'csf/disabled' maybe chmod 0600 'csf/disabled/csfpost.sh' maybe chmod 0600 'csf/disabled/csfpre.sh' maybe chmod 0600 'csf/downloadservers' +maybe chmod 0644 'csf/imunify_allow.conf' maybe chmod 0600 'csf/install.txt' maybe chmod 0600 'csf/license.txt' maybe chmod 0600 'csf/messenger' @@ -1000,6 +1030,56 @@ maybe chmod 0644 'httpd/conf.modules.d/README' maybe chmod 0644 'httpd/conf/httpd.conf' maybe chmod 0644 'httpd/conf/magic' maybe chmod 0644 'idmapd.conf' +maybe chmod 0755 'imunify-auditd-log-reader' +maybe chmod 0644 'imunify-auditd-log-reader/config.yaml' +maybe chmod 0755 'imunify-realtime-av' +maybe chmod 0644 'imunify-realtime-av/config.yaml' +maybe chmod 0755 'imunify360' +maybe chmod 0755 'imunify360-webshield' +maybe chmod 0644 'imunify360-webshield/agent-proxies.conf' +maybe chmod 0644 'imunify360-webshield/blocked_country_codes.conf' +maybe chmod 0755 'imunify360-webshield/captcha' +maybe chmod 0644 'imunify360-webshield/captcha.conf' +maybe chmod 0644 'imunify360-webshield/captcha/lang.conf' +maybe chmod 0644 'imunify360-webshield/common-proxies.conf' +maybe chmod 0644 'imunify360-webshield/country_ips.conf' +maybe chmod 0644 'imunify360-webshield/custom-blacklisted.conf' +maybe chmod 0644 'imunify360-webshield/custom-whitelisted.conf' +maybe chmod 0644 'imunify360-webshield/fastcgi.conf' +maybe chmod 0644 'imunify360-webshield/fastcgi_params' +maybe chmod 0644 'imunify360-webshield/invisible-captcha.conf' +maybe chmod 0644 'imunify360-webshield/invisible-captcha.conf.tpl' +maybe chmod 0644 'imunify360-webshield/koi-utf' +maybe chmod 0644 'imunify360-webshield/koi-win' +maybe chmod 0644 'imunify360-webshield/mime.types' +maybe chmod 0644 'imunify360-webshield/ports.conf' +maybe chmod 0644 'imunify360-webshield/presets.cfg' +maybe chmod 0644 'imunify360-webshield/scgi_params' +maybe chmod 0755 'imunify360-webshield/splashscreen' +maybe chmod 0644 'imunify360-webshield/splashscreen-antibot.conf' +maybe chmod 0644 'imunify360-webshield/splashscreen.conf' +maybe chmod 0644 'imunify360-webshield/splashscreen/lang.conf' +maybe chmod 0644 'imunify360-webshield/ssl.conf' +maybe chmod 0755 'imunify360-webshield/ssl_certs' +maybe chmod 0600 'imunify360-webshield/ssl_certs/dummy.pem' +maybe chmod 0644 'imunify360-webshield/ssl_ports.conf' +maybe chmod 0644 'imunify360-webshield/unified_access_logger.conf' +maybe chmod 0644 'imunify360-webshield/uwsgi_params' +maybe chmod 0644 'imunify360-webshield/virtserver.conf' +maybe chmod 0755 'imunify360-webshield/webshield-backend.conf.d' +maybe chmod 0755 'imunify360-webshield/webshield-captcha.conf.d' +maybe chmod 0755 'imunify360-webshield/webshield-http.conf.d' +maybe chmod 0644 'imunify360-webshield/webshield-http.conf.d/resolver.conf' +maybe chmod 0644 'imunify360-webshield/webshield-http.conf.d/static-whitelist.conf' +maybe chmod 0644 'imunify360-webshield/webshield-http.conf.d/wscheckdata.conf' +maybe chmod 0755 'imunify360-webshield/webshield-server.conf.d' +maybe chmod 0755 'imunify360-webshield/webshield-splashscreen.conf.d' +maybe chmod 0644 'imunify360-webshield/webshield.conf' +maybe chmod 0644 'imunify360-webshield/whitelisted-domains.conf' +maybe chmod 0644 'imunify360-webshield/win-utf' +maybe chmod 0644 'imunify360-webshield/wscheck.conf' +maybe chmod 0600 'imunify360/unified-access-logger.conf' +maybe chmod 0755 'imunify360/user_config' maybe chmod 0644 'incron.conf' maybe chmod 0755 'incron.d' maybe chmod 0644 'inittab' @@ -1058,6 +1138,7 @@ maybe chmod 0755 'krb5.conf.d' maybe chmod 0644 'krb5.conf.d/kcm_default_ccache' maybe chmod 0644 'ld.so.conf' maybe chmod 0755 'ld.so.conf.d' +maybe chmod 0644 'ld.so.conf.d/alt-hyperscan.conf' maybe chmod 0644 'ld.so.conf.d/bind-export-x86_64.conf' maybe chmod 0444 'ld.so.conf.d/kernel-4.18.0-193.6.3.el8_2.x86_64.conf' maybe chmod 0444 'ld.so.conf.d/kernel-4.18.0-372.13.1.el8_6.x86_64.conf' @@ -3055,11 +3136,17 @@ maybe chmod 0644 'logrotate.d/aide' maybe chmod 0644 'logrotate.d/btmp' maybe chmod 0644 'logrotate.d/chrony' maybe chmod 0644 'logrotate.d/clamav-unofficial-sigs' +maybe chmod 0644 'logrotate.d/cloudlinux-backup-utils' maybe chmod 0644 'logrotate.d/dnf' maybe chmod 0640 'logrotate.d/fail2ban' maybe chmod 0640 'logrotate.d/fail2ban.rpmsave' maybe chmod 0644 'logrotate.d/firewalld' maybe chmod 0644 'logrotate.d/httpd' +maybe chmod 0644 'logrotate.d/imunify360' +maybe chmod 0644 'logrotate.d/imunify360-pam' +maybe chmod 0644 'logrotate.d/imunify360-unified-access-logger' +maybe chmod 0644 'logrotate.d/imunify360-wafd' +maybe chmod 0644 'logrotate.d/imunify360-webshield' maybe chmod 0644 'logrotate.d/iptraf-ng' maybe chmod 0644 'logrotate.d/kvm_stat' maybe chmod 0644 'logrotate.d/lfd' @@ -3069,6 +3156,7 @@ maybe chgrp 'named' 'logrotate.d/named' maybe chmod 0640 'logrotate.d/named' maybe chmod 0644 'logrotate.d/netdata' maybe chmod 0644 'logrotate.d/nginx' +maybe chmod 0644 'logrotate.d/ossec-hids' maybe chmod 0644 'logrotate.d/php-fpm' maybe chmod 0644 'logrotate.d/ppp' maybe chmod 0644 'logrotate.d/privoxy' @@ -4628,6 +4716,8 @@ maybe chmod 0640 'nginx/uwsgi_params' maybe chmod 0644 'npmrc' maybe chmod 0755 'nrpe.d' maybe chmod 0644 'nsswitch.conf' +maybe chmod 0644 'odbc.ini' +maybe chmod 0644 'odbcinst.ini' maybe chmod 0755 'oddjob' maybe chmod 0644 'oddjobd.conf' maybe chmod 0755 'oddjobd.conf.d' @@ -4698,6 +4788,7 @@ maybe chmod 0755 'openldap' maybe chmod 0755 'openldap/certs' maybe chmod 0644 'openldap/ldap.conf' maybe chmod 0755 'opt' +maybe chmod 0600 'ossec-init.conf' maybe chmod 0755 'pam.d' maybe chmod 0644 'pam.d/atd' maybe chmod 0644 'pam.d/chfn' @@ -4706,6 +4797,8 @@ maybe chmod 0644 'pam.d/cockpit' maybe chmod 0644 'pam.d/config-util' maybe chmod 0644 'pam.d/crond' maybe chmod 0644 'pam.d/dovecot' +maybe chmod 0644 'pam.d/dovecot_imunify' +maybe chmod 0644 'pam.d/dovecot_imunify_domainowner' maybe chmod 0644 'pam.d/fingerprint-auth' maybe chmod 0644 'pam.d/login' maybe chmod 0644 'pam.d/mock' @@ -4715,6 +4808,7 @@ maybe chmod 0644 'pam.d/password-auth' maybe chmod 0644 'pam.d/polkit-1' maybe chmod 0644 'pam.d/postlogin' maybe chmod 0644 'pam.d/ppp' +maybe chmod 0644 'pam.d/proftpd_imunify' maybe chmod 0644 'pam.d/remote' maybe chmod 0644 'pam.d/runuser' maybe chmod 0644 'pam.d/runuser-l' @@ -4735,6 +4829,8 @@ maybe chmod 0644 'pam.d/systemd-user' maybe chmod 0644 'pam.d/vlock' maybe chmod 0644 'pam.d/vmtoolsd' maybe chmod 0644 'pam.d/vsftpd' +maybe chmod 0750 'pam_imunify' +maybe chmod 0600 'pam_imunify/i360.ini' maybe chmod 0644 'papersize' maybe chmod 0644 'passwd' maybe chmod 0644 'passwd-' @@ -5710,6 +5806,7 @@ maybe chmod 0644 'sudoers.d/nrpe' maybe chmod 0640 'sudoers.d/smiti' maybe chmod 0640 'sudoers.d/vampi' maybe chmod 0755 'sysconfig' +maybe chmod 0640 'sysconfig/aibolit-resident' maybe chmod 0644 'sysconfig/anaconda' maybe chmod 0644 'sysconfig/arpwatch' maybe chmod 0644 'sysconfig/atd' @@ -5725,7 +5822,17 @@ maybe chmod 0644 'sysconfig/firstboot' maybe chmod 0644 'sysconfig/garb' maybe chmod 0644 'sysconfig/htcacheclean' maybe chmod 0750 'sysconfig/imunify360' +maybe chmod 0660 'sysconfig/imunify360/.imunify360.backup_config' +maybe chmod 0644 'sysconfig/imunify360/custom_billing.config' +maybe chmod 0644 'sysconfig/imunify360/imunify360-merged.config' +maybe chmod 0600 'sysconfig/imunify360/imunify360.config' +maybe chmod 0700 'sysconfig/imunify360/imunify360.config.d' +maybe chmod 0600 'sysconfig/imunify360/imunify360.config.d/10_on_first_install.config' +maybe chmod 0600 'sysconfig/imunify360/imunify360.config.defaults.example' maybe chmod 0640 'sysconfig/imunify360/integration.conf' +maybe chmod 0755 'sysconfig/imunify360/malware-filters-admin-conf' +maybe chmod 0644 'sysconfig/imunify360/malware-filters-admin-conf/ignored.txt' +maybe chmod 0644 'sysconfig/imunify360/malware-filters-admin-conf/watched.txt' maybe chmod 0600 'sysconfig/ip6tables-config' maybe chmod 0600 'sysconfig/iptables-config' maybe chmod 0644 'sysconfig/iptables.old-2020-10-20-17_37_02' @@ -5802,6 +5909,7 @@ maybe chmod 0644 'sysconfig/svnserve' maybe chmod 0644 'sysctl.conf' maybe chmod 0644 'sysctl.conf.old-2020-10-20-17_37_02' maybe chmod 0755 'sysctl.d' +maybe chmod 0644 'sysctl.d/90-webshield-ip-local-reserved.conf' maybe chmod 0644 'system-fips' maybe chmod 0644 'system-release-cpe' maybe chmod 0755 'systemd' @@ -5913,6 +6021,8 @@ maybe chmod 0600 'vsftpd/vsftpd.conf' maybe chmod 0744 'vsftpd/vsftpd_conf_migrate.sh' maybe chmod 0755 'w3m' maybe chmod 0644 'w3m/config' +maybe chmod 0755 'wafd_imunify' +maybe chmod 0600 'wafd_imunify/i360.ini' maybe chmod 0644 'wgetrc' maybe chmod 0644 'whois.conf' maybe chmod 0700 'wireguard' @@ -5969,6 +6079,7 @@ maybe chmod 0644 'yum.repos.d/epel-testing.repo' maybe chmod 0644 'yum.repos.d/epel.repo' maybe chmod 0644 'yum.repos.d/hashicorp.repo' maybe chmod 0640 'yum.repos.d/immortal_immortal.repo' +maybe chmod 0644 'yum.repos.d/imunify-rollout.repo' maybe chmod 0644 'yum.repos.d/imunify360-testing.repo' maybe chmod 0644 'yum.repos.d/imunify360.repo' maybe chmod 0640 'yum.repos.d/kopia.repo' diff --git a/cagefs/conf.d/ai-bolit.cfg b/cagefs/conf.d/ai-bolit.cfg new file mode 100644 index 0000000..342b6d5 --- /dev/null +++ b/cagefs/conf.d/ai-bolit.cfg @@ -0,0 +1,3 @@ +[ai-bolit] +comment=AI-BOLIT +paths=/opt/ai-bolit/AIBOLIT-WHITELIST.db, /opt/ai-bolit/ai-bolit-hoster.php, /opt/ai-bolit/ai-bolit.php, /opt/ai-bolit/procu2.php diff --git a/cagefs/conf.d/pd-i360.cfg b/cagefs/conf.d/pd-i360.cfg new file mode 100644 index 0000000..0f868a4 --- /dev/null +++ b/cagefs/conf.d/pd-i360.cfg @@ -0,0 +1,3 @@ +[pd-i360] +comment=PD files +paths=/etc/ld.so.conf.d/alt-hyperscan.conf diff --git a/cagefs/conf.d/phpi360.cfg b/cagefs/conf.d/phpi360.cfg new file mode 100644 index 0000000..e3b59ec --- /dev/null +++ b/cagefs/conf.d/phpi360.cfg @@ -0,0 +1,3 @@ +[phpi360] +comment=PHP proactive defence +paths=/etc/sysconfig/imunify360/imunify360-merged.config \ No newline at end of file diff --git a/cagefs/exclude/imunify360 b/cagefs/exclude/imunify360 new file mode 100644 index 0000000..33d55a0 --- /dev/null +++ b/cagefs/exclude/imunify360 @@ -0,0 +1,5 @@ +imunify360-captcha +ossec +ossecr +ossecm +ossece diff --git a/cl.selector/php.extensions.conflicts b/cl.selector/php.extensions.conflicts new file mode 100644 index 0000000..03ddc57 --- /dev/null +++ b/cl.selector/php.extensions.conflicts @@ -0,0 +1,16 @@ +# This file contains php extensions mutual conflicts + +eaccelerator, apc, xcache, xcache_3, apcu +apc, opcache + +idn, intl + +mysql, nd_mysql +mysqli, nd_mysqli +pdo_mysql, nd_pdo_mysql +ioncube_loader, ioncube_loader_4 +ioncube_loader, ioncube_loader_5 +ioncube_loader_5, ioncube_loader_4 +imagick, gmagick +gmagick, magickwand +phalcon, phalcon3 diff --git a/cl.selector/php.extensions.d/i360.cfg b/cl.selector/php.extensions.d/i360.cfg new file mode 100644 index 0000000..5692270 --- /dev/null +++ b/cl.selector/php.extensions.d/i360.cfg @@ -0,0 +1,2 @@ +[extensions] +hide_extensions=i360 diff --git a/cl.selector/selector.conf b/cl.selector/selector.conf new file mode 100644 index 0000000..e69de29 diff --git a/cloudlinux-backup/mysql_freeze.config b/cloudlinux-backup/mysql_freeze.config new file mode 100644 index 0000000..c74b8e4 --- /dev/null +++ b/cloudlinux-backup/mysql_freeze.config @@ -0,0 +1,4 @@ +FREEZE_MYSQL_TIMEOUT=300 +FREEZE_SNAPSHOT_TIMEOUT=600 +FREEZE_LOCKFILE=/var/cloudlinux-backup-mysql-freeze.lock +FREEZE_LOGFILE=/var/log/cloudlinux-backup-mysql-freeze.log diff --git a/cron.d/imunify-antivirus b/cron.d/imunify-antivirus new file mode 100644 index 0000000..7cae077 --- /dev/null +++ b/cron.d/imunify-antivirus @@ -0,0 +1,7 @@ +PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin + +# Every Saturday at 1:25 +25 1 * * 6 root tmpwatch 168 /var/imunify360/tmp +# Every 5 minutes. Ignore "ERROR: imunify360 service is running." +*/5 * * * * root imunify360-agent malware on-demand check-detached > /dev/null 2>&1 || : +17 4 * * * root /opt/alt/python38/share/imunify360/scripts/report-command-error /opt/alt/python38/share/imunify360/scripts/update_components_versions.py > /dev/null 2>&1 diff --git a/cron.d/imunify-notifier b/cron.d/imunify-notifier new file mode 100644 index 0000000..ab71f0a --- /dev/null +++ b/cron.d/imunify-notifier @@ -0,0 +1,4 @@ +# CONTENT OF THIS FILE IS GENERATED AUTOMATICALLY, DO NOT EDIT +SHELL=/bin/bash +MAILTO="" +* * * * * root /usr/sbin/imunify-notifier -update-cron diff --git a/cron.d/imunify360 b/cron.d/imunify360 new file mode 100644 index 0000000..cade345 --- /dev/null +++ b/cron.d/imunify360 @@ -0,0 +1,8 @@ +PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin + +13 * * * * root /usr/sbin/imunify360-watchdog 1200 >/dev/null 2>&1 +0 * * * * root /usr/sbin/imunify-realtime-av -cleanup >/dev/null 2>&1 +# clean modsec tmp dir for the case when tmp files are stored permanently (see DEF-14411) +*/5 * * * * root /usr/libexec/imunify360-cgroup-process-wrapper --command tmpwatch --report-time --report-slice /Imunify.slice/Cron.slice/tmpreaper_tmp_modsec -- 5m /var/imunify360/tmp_modsec +# Every Saturday at 1:25 +25 1 * * 6 root /usr/libexec/imunify360-cgroup-process-wrapper --command tmpwatch --report-time --report-slice /Imunify.slice/Cron.slice/tmpreaper_tmp -- 168 /var/imunify360/tmp diff --git a/cron.d/imunify360-webshield-check b/cron.d/imunify360-webshield-check new file mode 100644 index 0000000..23126c5 --- /dev/null +++ b/cron.d/imunify360-webshield-check @@ -0,0 +1,4 @@ +SHELL=/bin/bash +PATH=/sbin:/bin:/usr/sbin:/usr/bin + +*/5 * * * * root /usr/share/imunify360-webshield/webshield-watchdog &>/dev/null diff --git a/cron.d/shrinker-cron b/cron.d/shrinker-cron new file mode 100644 index 0000000..119ff97 --- /dev/null +++ b/cron.d/shrinker-cron @@ -0,0 +1 @@ +17 3 * * * root /usr/bin/flock -n /var/run/shrinker.lock /opt/alt/python38/bin/python3 /opt/alt/modsec-sdbm-util/bin/shrinker.py > /dev/null diff --git a/cron.daily/cloudlinux-backup-utils b/cron.daily/cloudlinux-backup-utils new file mode 100755 index 0000000..7b677c4 --- /dev/null +++ b/cron.daily/cloudlinux-backup-utils @@ -0,0 +1,33 @@ +#!/bin/bash + +LOG_FILE=${1:-/var/log/cloudlinux-backup-utils-cron.log} + +log() { + echo "$(date -u): ${*}" >>"${LOG_FILE}" +} + +refresh_token_if_present() { + backend=${1} + token_file=/var/restore_infected/${backend}_api_token.json + + if [ -f "${token_file}" ]; then + log "${backend}: refreshing auth token" + out=$(/usr/bin/restore_infected "${backend}" extra refresh_token 2>&1) + exit_code=$? + if [ "${exit_code}" != "0" ]; then + log "${out}" + log "Token refresh failed" + + echo "${out}" + echo "Token refresh failed" + return 1 + fi + log "Auth token refreshed" + else + log "${backend}: not initialized, skipping..." + fi +} + +refresh_token_if_present acronis +refresh_token_if_present r1soft + diff --git a/cron.daily/imunify-antivirus.cron b/cron.daily/imunify-antivirus.cron new file mode 100755 index 0000000..98a5afe --- /dev/null +++ b/cron.daily/imunify-antivirus.cron @@ -0,0 +1,12 @@ +#!/bin/bash + +/usr/bin/imunify360-agent check-domains > /dev/null 2>&1 || true + +/opt/alt/python38/share/imunify360/scripts/report-command-error \ + /usr/bin/yum update \ + imunify-antivirus \ + ai-bolit \ + imunify-notifier \ + --assumeyes > /dev/null 2>&1 + +/usr/bin/imunify-antivirus version > /dev/null 2>&1 diff --git a/cron.daily/imunify360.cron b/cron.daily/imunify360.cron new file mode 100755 index 0000000..1d47f72 --- /dev/null +++ b/cron.daily/imunify360.cron @@ -0,0 +1,15 @@ +#!/bin/bash +/usr/bin/imunify360-agent check-domains > /dev/null 2>&1 +/opt/alt/python38/share/imunify360/scripts/report-command-error \ + /usr/bin/yum update \ + imunify360-firewall \ + cloudlinux-backup-utils \ + ai-bolit \ + imunify360-php-i360 \ + imunify-realtime-av \ + imunify-auditd-log-reader \ + imunify360-webshield-bundle \ + imunify360-pam \ + imunify-notifier \ + imunify360-unified-access-logger \ + --assumeyes > /dev/null 2>&1 diff --git a/cron.daily/ossec_logs_cleaner b/cron.daily/ossec_logs_cleaner new file mode 100755 index 0000000..23b7fa3 --- /dev/null +++ b/cron.daily/ossec_logs_cleaner @@ -0,0 +1,7 @@ +#!/bin/bash +# -delete option implicitly uses -depth, which traverse folders with DFS +# (beginning with folder's content, ending with folder itself) +# so, if old folder contains old files, "directory is not empty" error won't happen. +# Old folder may not be deleted only if contains recently modified files +find -H /var/ossec/logs/{alerts/*,archives/*,firewall/*} -mtime +2 -not -name alerts.json -delete >/dev/null 2>&1 +exit 0 \ No newline at end of file diff --git a/csf/csf.allow b/csf/csf.allow index 75885fc..94ca1da 100644 --- a/csf/csf.allow +++ b/csf/csf.allow @@ -162,3 +162,7 @@ tcp:in:d=5666:s=194.63.143.34 # file.rocks 86.127.8.66 # Manually allowed: 86.127.8.66 (RO/Romania/Dolj/Craiova/static-86-127-8-66.rdsnet.ro) - Tue Dec 27 00:07:45 2022 82.76.35.228 # Manually allowed: 82.76.35.228 (RO/Romania/Bucuresti/Bucharest/static-82-76-35-228.rdsnet.ro) - Wed Jan 18 09:03:34 2023 86.127.21.14 # Manually allowed: 86.127.21.14 (RO/Romania/Dolj/Craiova/86-127-21-14.rdsnet.ro) - Mon Jan 23 16:40:32 2023 + +# csf_tool: +148.251.142.83 # imunify360 server - Thu Feb 9 14:49:32 2023 +69.175.3.10 # files.imunify360.com server - Thu Feb 9 14:49:32 2023 diff --git a/csf/csf.conf b/csf/csf.conf index 410ea75..bf76cdd 100644 --- a/csf/csf.conf +++ b/csf/csf.conf @@ -136,10 +136,10 @@ AUTO_UPDATES = "1" LF_SPI = "1" # Allow incoming TCP ports -TCP_IN = "20,21,22,25,26,53,80,88,110,143,443,465,587,873,904,953,992,993,995,1907:1909,1723,1986,2082,2083,2086,2087,2095,2096,5432,8000,8001,8080,8443,8800,8988,9080,9443,9391,9999,65534,5080,5665,5666,5222,5269,52222,40000:40100,11898" +TCP_IN = "20,21,22,25,26,53,80,88,110,143,443,465,587,873,904,953,992,993,995,1723,1986,2082,2083,2086,2087,2095,2096,5080,5222,5269,5432,5665,5666,8000,8001,8080,8443,8800,8988,9080,9391,9443,9999,11898,52222,65534,1907:1909,40000:40100" # Allow outgoing TCP ports -TCP_OUT = "1:65535" +TCP_OUT = ",1:65535" # Allow incoming UDP ports UDP_IN = "20,21,53,67,68,123,161,500,514,517,518,1027,1194,1514,1701,1981,4500,33434:33523" diff --git a/csf/csf.conf.i360bak b/csf/csf.conf.i360bak new file mode 100644 index 0000000..14d895c --- /dev/null +++ b/csf/csf.conf.i360bak @@ -0,0 +1,2679 @@ +############################################################################### +# SECTION:Initial Settings +############################################################################### +# Testing flag - enables a CRON job that clears iptables incase of +# configuration problems when you start csf. This should be enabled until you +# are sure that the firewall works - i.e. incase you get locked out of your +# server! Then do remember to set it to 0 and restart csf when you're sure +# everything is OK. Stopping csf will remove the line from /etc/crontab +# +# lfd will not start while this is enabled +TESTING = "0" + +# The interval for the crontab in minutes. Since this uses the system clock the +# CRON job will run at the interval past the hour and not from when you issue +# the start command. Therefore an interval of 5 minutes means the firewall +# will be cleared in 0-5 minutes from the firewall start +TESTING_INTERVAL = "5" + +# SECURITY WARNING +# ================ +# +# Unfortunately, syslog and rsyslog allow end-users to log messages to some +# system logs via the same unix socket that other local services use. This +# means that any log line shown in these system logs that syslog or rsyslog +# maintain can be spoofed (they are exactly the same as real log lines). +# +# Since some of the features of lfd rely on such log lines, spoofed messages +# can cause false-positive matches which can lead to confusion at best, or +# blocking of any innocent IP address or making the server inaccessible at +# worst. +# +# Any option that relies on the log entries in the files listed in +# /etc/syslog.conf and /etc/rsyslog.conf should therefore be considered +# vulnerable to exploitation by end-users and scripts run by end-users. +# +# NOTE: Not all log files are affected as they may not use syslog/rsyslog +# +# The option RESTRICT_SYSLOG disables all these features that rely on affected +# logs. These options are: +# LF_SSHD LF_FTPD LF_IMAPD LF_POP3D LF_BIND LF_SUHOSIN LF_SSH_EMAIL_ALERT +# LF_SU_EMAIL_ALERT LF_CONSOLE_EMAIL_ALERT LF_DISTATTACK LF_DISTFTP +# LT_POP3D LT_IMAPD PS_INTERVAL UID_INTERVAL WEBMIN_LOG LF_WEBMIN_EMAIL_ALERT +# PORTKNOCKING_ALERT LF_SUDO_EMAIL_ALERT +# +# This list of options use the logs but are not disabled by RESTRICT_SYSLOG: +# ST_ENABLE SYSLOG_CHECK LOGSCANNER CUSTOM*_LOG +# +# The following options are still enabled by default on new installations so +# that, on balance, csf/lfd still provides expected levels of security: +# LF_SSHD LF_FTPD LF_POP3D LF_IMAPD LF_SSH_EMAIL_ALERT LF_SU_EMAIL_ALERT +# +# If you set RESTRICT_SYSLOG to "0" or "2" and enable any of the options listed +# above, it should be done with the knowledge that any of the those options +# that are enabled could be triggered by spoofed log lines and lead to the +# server being inaccessible in the worst case. If you do not want to take that +# risk you should set RESTRICT_SYSLOG to "1" and those features will not work +# but you will not be protected from the exploits that they normally help block +# +# The recommended setting for RESTRICT_SYSLOG is "3" to restrict who can access +# the syslog/rsyslog unix socket. +# +# For further advice on how to help mitigate these issues, see +# /etc/csf/readme.txt +# +# 0 = Allow those options listed above to be used and configured +# 1 = Disable all the options listed above and prevent them from being used +# 2 = Disable only alerts about this feature and do nothing else +# 3 = Restrict syslog/rsyslog access to RESTRICT_SYSLOG_GROUP ** RECOMMENDED ** +RESTRICT_SYSLOG = "2" + +# The following setting is used if RESTRICT_SYSLOG is set to 3. It restricts +# write access to the syslog/rsyslog unix socket(s). The group must not already +# exists in /etc/group before setting RESTRICT_SYSLOG to 3, so set the option +# to a unique name for the server +# +# You can add users to this group by changing /etc/csf/csf.syslogusers and then +# restarting lfd afterwards. This will create the system group and add the +# users from csf.syslogusers if they exist to that group and will change the +# permissions on the syslog/rsyslog unix socket(s). The socket(s) will be +# monitored and the permissions re-applied should syslog/rsyslog be restarted +# +# Using this option will prevent some legitimate logging, e.g. end-user cron +# job logs +# +# If you want to revert RESTRICT_SYSLOG to another option and disable this +# feature, change the setting of RESTRICT_SYSLOG and then restart lfd and then +# syslog/rsyslog and the unix sockets will be reset +RESTRICT_SYSLOG_GROUP = "csfsyslog" + +# This options restricts the ability to modify settings within this file from +# the csf UI. Should the parent control panel be compromised, these restricted +# options could be used to further compromise the server. For this reason we +# recommend leaving this option set to at least "1" and if any of the +# restricted items need to be changed, they are done so from the root shell +# +# 0 = Unrestricted UI +# 1 = Restricted UI +# 2 = Disabled UI +RESTRICT_UI = "1" + +# Enabling auto updates creates a cron job called /etc/cron.d/csf_update which +# runs once per day to see if there is an update to csf+lfd and upgrades if +# available and restarts csf and lfd +# +# You should check for new version announcements at http://blog.configserver.com +AUTO_UPDATES = "1" + +############################################################################### +# SECTION:IPv4 Port Settings +############################################################################### +# Lists of ports in the following comma separated lists can be added using a +# colon (e.g. 30000:35000). + +# Some kernel/iptables setups do not perform stateful connection tracking +# correctly (typically some virtual servers or custom compiled kernels), so a +# SPI firewall will not function correctly. If this happens, LF_SPI can be set +# to 0 to reconfigure csf as a static firewall. +# +# As connection tracking will not be configured, applications that rely on it +# will not function unless all outgoing ports are opened. Therefore, all +# outgoing connections will be allowed once all other tests have completed. So +# TCP_OUT, UDP_OUT and ICMP_OUT will not have any affect. +# +# If you allow incoming DNS lookups you may need to use the following +# directive in the options{} section of your named.conf: +# +# query-source port 53; +# +# This will force incoming DNS traffic only through port 53 +# +# Disabling this option will break firewall functionality that relies on +# stateful packet inspection (e.g. DNAT, PACKET_FILTER) and makes the firewall +# less secure +# +# This option should be set to "1" in all other circumstances +LF_SPI = "1" + +# Allow incoming TCP ports +TCP_IN = "20,21,22,25,26,53,80,88,110,143,443,465,587,873,904,953,992,993,995,1723,1986,2082,2083,2086,2087,2095,2096,5080,5222,5269,5432,5665,5666,8000,8001,8080,8443,8800,8988,9080,9391,9443,9999,11898,52222,65534,1907:1909,40000:40100" + +# Allow outgoing TCP ports +TCP_OUT = "1:65535" + +# Allow incoming UDP ports +UDP_IN = "20,21,53,67,68,123,161,500,514,517,518,1027,1194,1514,1701,1981,4500,33434:33523" + +# Allow outgoing UDP ports +# To allow outgoing traceroute add 33434:33523 to this list +UDP_OUT = "1:65535" + +# Allow incoming PING. Disabling PING will likely break external uptime +# monitoring +ICMP_IN = "1" + +# Set the per IP address incoming ICMP packet rate for PING requests. This +# ratelimits PING requests which if exceeded results in silently rejected +# packets. Disable or increase this value if you are seeing PING drops that you +# do not want +# +# To disable rate limiting set to "0", otherwise set according to the iptables +# documentation for the limit module. For example, "1/s" will limit to one +# packet per second +ICMP_IN_RATE = "1/s" + +# Allow outgoing PING +# +# Unless there is a specific reason, this option should NOT be disabled as it +# could break OS functionality +ICMP_OUT = "1" + +# Set the per IP address outgoing ICMP packet rate for PING requests. This +# ratelimits PING requests which if exceeded results in silently rejected +# packets. Disable or increase this value if you are seeing PING drops that you +# do not want +# +# Unless there is a specific reason, this option should NOT be enabled as it +# could break OS functionality +# +# To disable rate limiting set to "0", otherwise set according to the iptables +# documentation for the limit module. For example, "1/s" will limit to one +# packet per second +ICMP_OUT_RATE = "0" + +# For those with PCI Compliance tools that state that ICMP timestamps (type 13) +# should be dropped, you can enable the following option. Otherwise, there +# appears to be little evidence that it has anything to do with a security risk +# and can impact network performance, so should be left disabled by everyone +# else +ICMP_TIMESTAMPDROP = "0" + +############################################################################### +# SECTION:IPv6 Port Settings +############################################################################### +# IPv6: (Requires ip6tables) +# +# Pre v2.6.20 kernels do not perform stateful connection tracking, so a static +# firewall is configured as a fallback instead if IPV6_SPI is set to 0 below +# +# Supported: +# Temporary ACCEPT/DENY, GLOBAL_DENY, GLOBAL_ALLOW, SMTP_BLOCK, LF_PERMBLOCK, +# PACKET_FILTER, Advanced Allow/Deny Filters, RELAY_*, CLUSTER_*, CC6_LOOKUPS, +# SYNFLOOD, LF_NETBLOCK +# +# Supported if CC6_LOOKUPS and CC_LOOKUPS are enabled +# CC_DENY, CC_ALLOW, CC_ALLOW_FILTER, CC_IGNORE, CC_ALLOW_PORTS, CC_DENY_PORTS, +# CC_ALLOW_SMTPAUTH +# +# Supported if ip6tables >= 1.4.3: +# PORTFLOOD, CONNLIMIT +# +# Supported if ip6tables >= 1.4.17 and perl module IO::Socket::INET6 is +# installed: +# MESSENGER DOCKER SMTP_REDIRECT +# +# Not supported: +# ICMP_IN, ICMP_OUT +# +IPV6 = "1" + +# IPv6 uses icmpv6 packets very heavily. By default, csf will allow all icmpv6 +# traffic in the INPUT and OUTPUT chains. However, this could increase the risk +# of icmpv6 attacks. To restrict incoming icmpv6, set to "1" but may break some +# connection types +IPV6_ICMP_STRICT = "0" + +# Pre v2.6.20 kernel must set this option to "0" as no working state module is +# present, so a static firewall is configured as a fallback +# +# A workaround has been added for CentOS/RedHat v5 and custom kernels that do +# not support IPv6 connection tracking by opening ephemeral port range +# 32768:61000. This is only applied if IPV6_SPI is not enabled. This is the +# same workaround implemented by RedHat in the sample default IPv6 rules +# +# As connection tracking will not be configured, applications that rely on it +# will not function unless all outgoing ports are opened. Therefore, all +# outgoing connections will be allowed once all other tests have completed. So +# TCP6_OUT, UDP6_OUT and ICMP6_OUT will not have any affect. +# +# If you allow incoming ipv6 DNS lookups you may need to use the following +# directive in the options{} section of your named.conf: +# +# query-source-v6 port 53; +# +# This will force ipv6 incoming DNS traffic only through port 53 +# +# These changes are not necessary if the SPI firewall is used +IPV6_SPI = "1" + +# Allow incoming IPv6 TCP ports +TCP6_IN = "22,25,53,80,110,143,443,465,587" + +# Allow outgoing IPv6 TCP ports +TCP6_OUT = "22,25,53,80,110,113,443,587" + +# Allow incoming IPv6 UDP ports +UDP6_IN = "53" + +# Allow outgoing IPv6 UDP ports +# To allow outgoing traceroute add 33434:33523 to this list +UDP6_OUT = "53,113" + +############################################################################### +# SECTION:General Settings +############################################################################### +# By default, csf will auto-configure iptables to filter all traffic except on +# the loopback device. If you only want iptables rules applied to a specific +# NIC, then list it here (e.g. eth1, or eth+) +ETH_DEVICE = "" + +# By adding a device to this option, ip6tables can be configured only on the +# specified device. Otherwise, ETH_DEVICE and then the default setting will be +# used +ETH6_DEVICE = "" + +# If you don't want iptables rules applied to specific NICs, then list them in +# a comma separated list (e.g "eth1,eth2") +ETH_DEVICE_SKIP = "" + +# This option should be enabled unless the kernel does not support the +# "conntrack" module +# +# To use the deprecated iptables "state" module, change this to 0 +USE_CONNTRACK = "1" + +# Enable ftp helper via the iptables CT target on supporting kernels (v2.6.34+) +# instead of the current method via /proc/sys/net/netfilter/nf_conntrack_helper +# This will also remove the RELATED target from the global state iptables rule +# +# This is not needed (and will be ignored) if LF_SPI/IPV6_SPI is disabled or +# the raw tables do not exist. The USE_CONNTRACK option should be enabled +# +# To enable this option, set it to your FTP server listening port number +# (normally 21), do NOT set it to "1" +USE_FTPHELPER = "21" + +# Check whether syslog is running. Many of the lfd checks require syslog to be +# running correctly. This test will send a coded message to syslog every +# SYSLOG_CHECK seconds. lfd will check SYSLOG_LOG log lines for the coded +# message. If it fails to do so within SYSLOG_CHECK seconds an alert using +# syslogalert.txt is sent +# +# A value of between 300 and 3600 seconds is suggested. Set to 0 to disable +SYSLOG_CHECK = "3600" + +# Enable this option if you want lfd to ignore (i.e. don't block) IP addresses +# listed in csf.allow in addition to csf.ignore (the default). This option +# should be used with caution as it would mean that IP's allowed through the +# firewall from infected PC's could launch attacks on the server that lfd +# would ignore +IGNORE_ALLOW = "1" + +# Enable the following option if you want to apply strict iptables rules to DNS +# traffic (i.e. relying on iptables connection tracking). Enabling this option +# could cause DNS resolution issues both to and from the server but could help +# prevent abuse of the local DNS server +DNS_STRICT = "0" + +# Enable the following option if you want to apply strict iptables rules to DNS +# traffic between the server and the nameservers listed in /etc/resolv.conf +# Enabling this option could cause DNS resolution issues both to and from the +# server but could help prevent abuse of the local DNS server +DNS_STRICT_NS = "0" + +# Limit the number of IP's kept in the /etc/csf/csf.deny file +# +# Care should be taken when increasing this value on servers with low memory +# resources or hard limits (such as Virtuozzo/OpenVZ) as too many rules (in the +# thousands) can sometimes cause network slowdown +# +# The value set here is the maximum number of IPs/CIDRs allowed +# if the limit is reached, the entries will be rotated so that the oldest +# entries (i.e. the ones at the top) will be removed and the latest is added. +# The limit is only checked when using csf -d (which is what lfd also uses) +# Set to 0 to disable limiting +# +# For implementations wishing to set this value significantly higher, we +# recommend using the IPSET option +DENY_IP_LIMIT = "999" + +# Limit the number of IP's kept in the temprary IP ban list. If the limit is +# reached the oldest IP's in the ban list will be removed and allowed +# regardless of the amount of time remaining for the block +# Set to 0 to disable limiting +DENY_TEMP_IP_LIMIT = "999" + +# Enable login failure detection daemon (lfd). If set to 0 none of the +# following settings will have any effect as the daemon won't start. +LF_DAEMON = "1" + +# Check whether csf appears to have been stopped and restart if necessary, +# unless TESTING is enabled above. The check is done every 300 seconds +LF_CSF = "1" + +# This option uses IPTABLES_SAVE, IPTABLES_RESTORE and IP6TABLES_SAVE, +# IP6TABLES_RESTORE in two ways: +# +# 1. On a clean server reboot the entire csf iptables configuration is saved +# and then restored where possible to provide a near instant firewall +# startup[*] +# +# 2. On csf restart or lfd reloading tables, CC_* as well as SPAMHAUS, DSHIELD, +# BOGON, TOR are loaded using this method in a fraction of the time than if +# this setting is disabled +# +# [*]Not supported on all OS platforms +# +# Set to "0" to disable this functionality +FASTSTART = "1" + +# This option allows you to use ipset v6+ for the following csf options: +# CC_* and /etc/csf/csf.blocklist, /etc/csf/csf.allow, /etc/csf/csf.deny, +# GLOBAL_DENY, GLOBAL_ALLOW, DYNDNS, GLOBAL_DYNDNS, MESSENGER +# +# ipset will only be used with the above options when listing IPs and CIDRs. +# Advanced Allow Filters and temporary blocks use traditional iptables +# +# Using ipset moves the onus of ip matching against large lists away from +# iptables rules and to a purpose built and optimised database matching +# utility. It also simplifies the switching in of updated lists +# +# To use this option you must have a fully functioning installation of ipset +# installed either via rpm or source from http://ipset.netfilter.org/ +# +# Note: Using ipset has many advantages, some disadvantages are that you will +# no longer see packet and byte counts against IPs and it makes identifying +# blocked/allowed IPs that little bit harder +# +# Note: If you mainly use IP address only entries in csf.deny, you can increase +# the value of DENY_IP_LIMIT significantly if you wish +# +# Note: It's highly unlikely that ipset will function on Virtuozzo/OpenVZ +# containers even if it has been installed +# +# If you find any problems, please post on forums.configserver.com with full +# details of the issue +LF_IPSET = "1" + +# Versions of iptables greater or equal to v1.4.20 should support the --wait +# option. This forces iptables commands that use the option to wait until a +# lock by any other process using iptables completes, rather than simply +# failing +# +# Enabling this feature will add the --wait option to iptables commands +# +# NOTE: The disadvantage of using this option is that any iptables command that +# uses it will hang until the lock is released. This could cause a cascade of +# hung processes trying to issue iptables commands. To try and avoid this issue +# csf uses a last ditch timeout, WAITLOCK_TIMEOUT in seconds, that will trigger +# a failure if reached +WAITLOCK = "0" +WAITLOCK_TIMEOUT = "300" + +# The following sets the hashsize for ipset sets, which must be a power of 2. +# +# Note: Increasing this value will consume more memory for all sets +# Default: "1024" +LF_IPSET_HASHSIZE = "1024" + +# The following sets the maxelem for ipset sets. +# +# Note: Increasing this value will consume more memory for all sets +# Default: "65536" +LF_IPSET_MAXELEM = "99999" + +# If you enable this option then whenever a CLI request to restart csf is used +# lfd will restart csf instead within LF_PARSE seconds +# +# This feature can be helpful for restarting configurations that cannot use +# FASTSTART +LFDSTART = "0" + +# Enable verbose output of iptables commands +VERBOSE = "0" + +# Drop out of order packets and packets in an INVALID state in iptables +# connection tracking +PACKET_FILTER = "1" + +# Perform reverse DNS lookups on IP addresses. (See also CC_LOOKUPS) +LF_LOOKUPS = "1" + +# Custom styling is possible in the csf UI. See the readme.txt for more +# information under "UI skinning and Mobile View" +# +# This option enables the use of custom styling. If the styling fails to work +# correctly, e.g. custom styling does not take into account a change in the +# standard csf UI, then disabling this option will return the standard UI +STYLE_CUSTOM = "1" + +# This option disables the presence of the Mobile View in the csf UI +STYLE_MOBILE = "1" + +############################################################################### +# SECTION:SMTP Settings +############################################################################### +# Block outgoing SMTP except for root, exim and mailman (forces scripts/users +# to use the exim/sendmail binary instead of sockets access). This replaces the +# protection as WHM > Tweak Settings > SMTP Tweaks +# +# This option uses the iptables ipt_owner/xt_owner module and must be loaded +# for it to work. It may not be available on some VPS platforms +# +# Note: Run /etc/csf/csftest.pl to check whether this option will function on +# this server +SMTP_BLOCK = "1" + +# If SMTP_BLOCK is enabled but you want to allow local connections to port 25 +# on the server (e.g. for webmail or web scripts) then enable this option to +# allow outgoing SMTP connections to the loopback device +SMTP_ALLOWLOCAL = "1" + +# This option redirects outgoing SMTP connections destined for remote servers +# for non-bypass users to the local SMTP server to force local relaying of +# email. Such email may require authentication (SMTP AUTH) +SMTP_REDIRECT = "0" + +# This is a comma separated list of the ports to block. You should list all +# ports that exim is configured to listen on +SMTP_PORTS = "25,465,587" + +# Always allow the following comma separated users and groups to bypass +# SMTP_BLOCK +# +# Note: root (UID:0) is always allowed +SMTP_ALLOWUSER = "postfix,vmail,nobody" +SMTP_ALLOWGROUP = "mail,nobody" + +# This option will only allow SMTP AUTH to be advertised to the IP addresses +# listed in /etc/csf/csf.smtpauth on EXIM mail servers +# +# The additional option CC_ALLOW_SMTPAUTH can be used with this option to +# additionally restrict access to specific countries +# +# This is to help limit attempts at distributed attacks against SMTP AUTH which +# are difficult to achive since port 25 needs to be open to relay email +# +# The reason why this works is that if EXIM does not advertise SMTP AUTH on a +# connection, then SMTP AUTH will not accept logins, defeating the attacks +# without restricting mail relaying +# +# Note: csf and lfd must be restarted if /etc/csf/csf.smtpauth is modified so +# that the lookup file in /etc/exim.smtpauth is regenerated from the +# information from /etc/csf/csf.smtpauth plus any countries listed in +# CC_ALLOW_SMTPAUTH +# +# NOTE: To make this option work you MUST make the modifications to exim.conf +# as explained in "Exim SMTP AUTH Restriction" section in /etc/csf/readme.txt +# after enabling the option here, otherwise this option will not work +# +# To enable this option, set to 1 and make the exim configuration changes +# To disable this option, set to 0 and undo the exim configuration changes +SMTPAUTH_RESTRICT = "0" + +############################################################################### +# SECTION:Port Flood Settings +############################################################################### +# Enable SYN Flood Protection. This option configures iptables to offer some +# protection from tcp SYN packet DOS attempts. You should set the RATE so that +# false-positives are kept to a minimum otherwise visitors may see connection +# issues (check /var/log/messages for *SYNFLOOD Blocked*). See the iptables +# man page for the correct --limit rate syntax +# +# Note: This option should ONLY be enabled if you know you are under a SYN +# flood attack as it will slow down all new connections from any IP address to +# the server if triggered +SYNFLOOD = "0" +SYNFLOOD_RATE = "50/s" +SYNFLOOD_BURST = "150" + +# Connection Limit Protection. This option configures iptables to offer more +# protection from DOS attacks against specific ports. It can also be used as a +# way to simply limit resource usage by IP address to specific server services. +# This option limits the number of concurrent new connections per IP address +# that can be made to specific ports +# +# This feature does not work on servers that do not have the iptables module +# xt_connlimit loaded. Typically, this will be with MONOLITHIC kernels. VPS +# server admins should check with their VPS host provider that the iptables +# module is included +# +# For further information and syntax refer to the Connection Limit Protection +# section of the csf readme.txt +# +# Note: Run /etc/csf/csftest.pl to check whether this option will function on +# this server +CONNLIMIT = "" + +# Port Flood Protection. This option configures iptables to offer protection +# from DOS attacks against specific ports. This option limits the number of +# new connections per time interval that can be made to specific ports +# +# This feature does not work on servers that do not have the iptables module +# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS +# server admins should check with their VPS host provider that the iptables +# module is included +# +# For further information and syntax refer to the Port Flood Protection +# section of the csf readme.txt +# +# Note: Run /etc/csf/csftest.pl to check whether this option will function on +# this server +PORTFLOOD = "25;tcp;15;5" + +# Outgoing UDP Flood Protection. This option limits outbound UDP packet floods. +# These typically originate from exploit scripts uploaded through vulnerable +# web scripts. Care should be taken on servers that use services that utilise +# high levels of UDP outbound traffic, such as SNMP, so you may need to alter +# the UDPFLOOD_LIMIT and UDPFLOOD_BURST options to suit your environment +# +# We recommend enabling User ID Tracking (UID_INTERVAL) with this feature +UDPFLOOD = "0" +UDPFLOOD_LIMIT = "100/s" +UDPFLOOD_BURST = "500" + +# This is a list of usernames that should not be rate limited, such as "named" +# to prevent bind traffic from being limited. +# +# Note: root (UID:0) is always allowed +UDPFLOOD_ALLOWUSER = "named" + +############################################################################### +# SECTION:Logging Settings +############################################################################### +# Log lfd messages to SYSLOG in addition to /var/log/lfd.log. You must have the +# perl module Sys::Syslog installed to use this feature +SYSLOG = "1" + +# Drop target for incoming iptables rules. This can be set to either DROP or +# REJECT. REJECT will send back an error packet, DROP will not respond at all. +# REJECT is more polite, however it does provide extra information to a hacker +# and lets them know that a firewall is blocking their attempts. DROP hangs +# their connection, thereby frustrating attempts to port scan the server +DROP = "DROP" + +# Drop target for outgoing iptables rules. This can be set to either DROP or +# REJECT as with DROP, however as such connections are from this server it is +# better to REJECT connections to closed ports rather than to DROP them. This +# helps to immediately free up server resources rather than tying them up until +# a connection times out. It also tells the process making the connection that +# it has immediately failed +# +# It is possible that some monolithic kernels may not support the REJECT +# target. If this is the case, csf checks before using REJECT and falls back to +# using DROP, issuing a warning to set this to DROP instead +DROP_OUT = "REJECT" + +# Enable logging of dropped connections to blocked ports to syslog, usually +# /var/log/messages. This option needs to be enabled to use Port Scan Tracking +DROP_LOGGING = "1" + +# Enable logging of dropped incoming connections from blocked IP addresses +# +# This option will be disabled if you enable Port Scan Tracking (PS_INTERVAL) +DROP_IP_LOGGING = "0" + +# Enable logging of dropped outgoing connections +# +# Note: Only outgoing SYN packets for TCP connections are logged, other +# protocols log all packets +# +# We recommend that you enable this option +DROP_OUT_LOGGING = "1" + +# Together with DROP_OUT_LOGGING enabled, this option logs the UID connecting +# out (where available) which can help track abuse +DROP_UID_LOGGING = "1" + +# Only log incoming reserved port dropped connections (0:1023). This can reduce +# the amount of log noise from dropped connections, but will affect options +# such as Port Scan Tracking (PS_INTERVAL) +DROP_ONLYRES = "0" + +# Commonly blocked ports that you do not want logging as they tend to just fill +# up the log file. These ports are specifically blocked (applied to TCP and UDP +# protocols) for incoming connections +DROP_NOLOG = "67,68,111,113,135:139,445,500,513,520" + +# Log packets dropped by the packet filtering option PACKET_FILTER +DROP_PF_LOGGING = "1" + +# Log packets dropped by the Connection Limit Protection option CONNLIMIT. If +# this is enabled and Port Scan Tracking (PS_INTERVAL) is also enabled, IP +# addresses breaking the Connection Limit Protection will be blocked +CONNLIMIT_LOGGING = "1" + +# Enable logging of UDP floods. This should be enabled, especially with User ID +# Tracking enabled +UDPFLOOD_LOGGING = "1" + +# Send an alert if log file flooding is detected which causes lfd to skip log +# lines to prevent lfd from looping. If this alert is sent you should check the +# reported log file for the reason for the flooding +LOGFLOOD_ALERT = "0" + +############################################################################### +# SECTION:Reporting Settings +############################################################################### +# By default, lfd will send alert emails using the relevant alert template to +# the To: address configured within that template. Setting the following +# option will override the configured To: field in all lfd alert emails +# +# Leave this option empty to use the To: field setting in each alert template +LF_ALERT_TO = "" + +# By default, lfd will send alert emails using the relevant alert template from +# the From: address configured within that template. Setting the following +# option will override the configured From: field in all lfd alert emails +# +# Leave this option empty to use the From: field setting in each alert template +LF_ALERT_FROM = "" + +# By default, lfd will send all alerts using the SENDMAIL binary. To send using +# SMTP directly, you can set the following to a relaying SMTP server, e.g. +# "127.0.0.1". Leave this setting blank to use SENDMAIL +LF_ALERT_SMTP = "" + +# Block Reporting. lfd can run an external script when it performs and IP +# address block following for example a login failure. The following setting +# is to the full path of the external script which must be executable. See +# readme.txt for format details +# +# Leave this setting blank to disable +BLOCK_REPORT = "" + +# To also run an external script when a temporary block is unblocked. The +# following setting can be the full path of the external script which must be +# executable. See readme.txt for format details +# +# Leave this setting blank to disable +UNBLOCK_REPORT = "" + +# In addition to the standard lfd email alerts, you can additionally enable the +# sending of X-ARF reports (see http://www.xarf.org/specification.html). Only +# block alert messages will be sent. The reports use our schema at: +# https://download.configserver.com/abuse_login-attack_0.2.json +# +# These reports are in a format accepted by many Netblock owners and should +# help them investigate abuse. This option is not designed to automatically +# forward these reports to the Netblock owners and should be checked for +# false-positive blocks before reporting +# +# If available, the report will also include the abuse contact for the IP from +# the Abusix Contact DB: https://abusix.com/contactdb.html +# +# Note: The following block types are not reported through this feature: +# LF_PERMBLOCK, LF_NETBLOCK, LF_DISTATTACK, LF_DISTFTP, RT_*_ALERT +X_ARF = "0" + +# By default, lfd will send emails from the root forwarder. Setting the +# following option will override this +X_ARF_FROM = "" + +# By default, lfd will send emails to the root forwarder. Setting the following +# option will override this +X_ARF_TO = "" + +# If you want to automatically send reports to the abuse contact where found, +# you can enable the following option +# +# Note: You MUST set X_ARF_FROM to a valid email address for this option to +# work. This is so that the abuse contact can reply to the report +# +# However, you should be aware that without manual checking you could be +# reporting innocent IP addresses, including your own clients, yourself and +# your own servers +# +# Additionally, just because a contact address is found, does not mean that +# there is anyone on the end of it reading, processing or acting on such +# reports and you could conceivably reported for sending spam +# +# We do not recommend enabling this option. Abuse reports should be checked and +# verified before being forwarded to the abuse contact +X_ARF_ABUSE = "0" + +############################################################################### +# SECTION:Temp to Perm/Netblock Settings +############################################################################### +# Temporary to Permanent IP blocking. The following enables this feature to +# permanently block IP addresses that have been temporarily blocked more than +# LF_PERMBLOCK_COUNT times in the last LF_PERMBLOCK_INTERVAL seconds. Set +# LF_PERMBLOCK to "1" to enable this feature +# +# Care needs to be taken when setting LF_PERMBLOCK_INTERVAL as it needs to be +# at least LF_PERMBLOCK_COUNT multiplied by the longest temporary time setting +# (TTL) for blocked IPs, to be effective +# +# Set LF_PERMBLOCK to "0" to disable this feature +LF_PERMBLOCK = "1" +LF_PERMBLOCK_INTERVAL = "86400" +LF_PERMBLOCK_COUNT = "2" +LF_PERMBLOCK_ALERT = "0" + +# Permanently block IPs by network class. The following enables this feature +# to permanently block classes of IP address where individual IP addresses +# within the same class LF_NETBLOCK_CLASS have already been blocked more than +# LF_NETBLOCK_COUNT times in the last LF_NETBLOCK_INTERVAL seconds. Set +# LF_NETBLOCK to "1" to enable this feature +# +# This can be an affective way of blocking DDOS attacks launched from within +# the same network class +# +# Valid settings for LF_NETBLOCK_CLASS are "A", "B" and "C", care and +# consideration is required when blocking network classes A or B +# +# Set LF_NETBLOCK to "0" to disable this feature +LF_NETBLOCK = "1" +LF_NETBLOCK_INTERVAL = "86400" +LF_NETBLOCK_COUNT = "2" +LF_NETBLOCK_CLASS = "C" +LF_NETBLOCK_ALERT = "0" + +# Valid settings for LF_NETBLOCK_IPV6 are "/64", "/56", "/48", "/32" and "/24" +# Great care should be taken with IPV6 netblock ranges due to the large number +# of addresses involved +# +# To disable IPv6 netblocks set to "" +LF_NETBLOCK_IPV6 = "" + +############################################################################### +# SECTION:Global Lists/DYNDNS/Blocklists +############################################################################### +# Safe Chain Update. If enabled, all dynamic update chains (GALLOW*, GDENY*, +# SPAMHAUS, DSHIELD, BOGON, CC_ALLOW, CC_DENY, ALLOWDYN*) will create a new +# chain when updating, and insert it into the relevant LOCALINPUT/LOCALOUTPUT +# chain, then flush and delete the old dynamic chain and rename the new chain. +# +# This prevents a small window of opportunity opening when an update occurs and +# the dynamic chain is flushed for the new rules. +# +# This option should not be enabled on servers with long dynamic chains (e.g. +# CC_DENY/CC_ALLOW lists) and low memory. It should also not be enabled on +# Virtuozzo VPS servers with a restricted numiptent value. This is because each +# chain will effectively be duplicated while the update occurs, doubling the +# number of iptables rules +SAFECHAINUPDATE = "1" + +# If you wish to allow access from dynamic DNS records (for example if your IP +# address changes whenever you connect to the internet but you have a dedicated +# dynamic DNS record from the likes of dyndns.org) then you can list the FQDN +# records in csf.dyndns and then set the following to the number of seconds to +# poll for a change in the IP address. If the IP address has changed iptables +# will be updated. +# +# If the FQDN has multiple A records then all of the IP addresses will be +# processed. If IPV6 is enabled, then all IPv6 AAAA IP address records will +# also be allowed. +# +# A setting of 600 would check for IP updates every 10 minutes. Set the value +# to 0 to disable the feature +DYNDNS = "0" + +# To always ignore DYNDNS IP addresses in lfd blocking, set the following +# option to 1 +DYNDNS_IGNORE = "0" + +# The follow Global options allow you to specify a URL where csf can grab a +# centralised copy of an IP allow or deny block list of your own. You need to +# specify the full URL in the following options, i.e.: +# http://www.somelocation.com/allow.txt +# +# The actual retrieval of these IP's is controlled by lfd, so you need to set +# LF_GLOBAL to the interval (in seconds) when you want lfd to retrieve. lfd +# will perform the retrieval when it runs and then again at the specified +# interval. A sensible interval would probably be every 3600 seconds (1 hour). +# A minimum value of 300 is enforced for LF_GLOBAL if enabled +# +# You do not have to specify both an allow and a deny file +# +# You can also configure a global ignore file for IP's that lfd should ignore +LF_GLOBAL = "86400" + +GLOBAL_ALLOW = "" +GLOBAL_DENY = "" +GLOBAL_IGNORE = "" + +# Provides the same functionality as DYNDNS but with a GLOBAL URL file. Set +# this to the URL of the file containing DYNDNS entries +GLOBAL_DYNDNS = "" + +# Set the following to the number of seconds to poll for a change in the IP +# address resoved from GLOBAL_DYNDNS +GLOBAL_DYNDNS_INTERVAL = "600" + +# To always ignore GLOBAL_DYNDNS IP addresses in lfd blocking, set the following +# option to 1 +GLOBAL_DYNDNS_IGNORE = "0" + +# Blocklists are controlled by modifying /etc/csf/csf.blocklists +# +# If you don't want BOGON rules applied to specific NICs, then list them in +# a comma separated list (e.g "eth1,eth2") +LF_BOGON_SKIP = "" + +# The following option can be used to select the method csf will use to +# retrieve URL data and files +# +# This can be set to use: +# +# 1. Perl module HTTP::Tiny +# 2. Perl module LWP::UserAgent +# 3. CURL/WGET (set location at the bottom of csf.conf if installed) +# +# HTTP::Tiny is much faster than LWP::UserAgent and is included in the csf +# distribution. LWP::UserAgent may have to be installed manually, but it can +# better support https:// URL's which also needs the LWP::Protocol::https perl +# module +# +# CURL/WGET uses the system binaries if installed but does not always provide +# good feedback when it fails. The script will first look for CURL, if that +# does not exist at the configured location it will then look for WGET +# +# Additionally, 1 or 2 are used and the retrieval fails, then if either CURL or +# WGET are available, an additional attempt will be using CURL/WGET. This is +# useful if the perl distribution has outdated modules that do not support +# modern SSL/TLS implementations +# +# To install the LWP perl modules required: +# +# On rpm based systems: +# +# yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch +# +# On APT based systems: +# +# apt-get install libwww-perl liblwp-protocol-https-perl +# +# Via cpan: +# +# perl -MCPAN -eshell +# cpan> install LWP LWP::Protocol::https +# +# We recommend setting this set to "2" or "3" as upgrades to csf will be +# performed over SSL as well as other URLs used when retrieving external data +# +# "1" = HTTP::Tiny +# "2" = LWP::UserAgent +# "3" = CURL/WGET (set location at the bottom of csf.conf) +URLGET = "2" + +# If you need csf/lfd to use a proxy, then you can set this option to the URL +# of the proxy. The proxy provided will be used for both HTTP and HTTPS +# connections +URLPROXY = "" + +############################################################################### +# SECTION:Country Code Lists and Settings +############################################################################### +# Country Code to CIDR allow/deny. In the following options you can allow or +# deny whole country CIDR ranges. The CIDR blocks are obtained from a selected +# source below. They also display Country Code Country and City for reported IP +# addresses and lookups +# +# There are a number of sources for these databases, before utilising them you +# need to visit each site and ensure you abide by their license provisions +# where stated: + +# 1. MaxMind +# +# MaxMind GeoLite2 Country/City and ASN databases at: +# https://dev.MaxMind.com/geoip/geoip2/geolite2/ +# This feature relies entirely on that service being available +# +# Advantages: This is a one stop shop for all of the databases required for +# these features. They provide a consistent dataset for blocking and reporting +# purposes +# +# Disadvantages: MaxMind require a license key to download their databases. +# This is free of charge, but requires the user to create an account on their +# website to generate the required key: +# +# WARNING: As of 2019-12-29, MaxMind REQUIRES you to create an account on their +# site and to generate a license key to use their databases. See: +# https://www.maxmind.com/en/geolite2/signup +# https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/ +# +# You MUST set the following to continue using the IP lookup features of csf, +# otherwise an error will be generated and the features will not work. +# Alternatively set CC_SRC below to a different provider +# +# MaxMind License Key: +MM_LICENSE_KEY = "2JB4mfoq2dRJEc8p" + +# 2. DB-IP, ipdeny.com, iptoasn.com +# +# Advantages: The ipdeny.com databases form CC blocking are better optimised +# and so are quicker to process and create fewer iptables entries. All of these +# databases are free to download without requiring login or key +# +# Disadvantages: Multiple sources mean that any one of the three could +# interrupt the provision of these features. It may also mean that there are +# inconsistences between them +# +# https://db-ip.com/db/lite.php +# http://ipdeny.com/ +# https://iptoasn.com/ +# http://download.geonames.org/export/dump/readme.txt + +# Set the following to your preferred source: +# +# "1" - MaxMind +# "2" - db-ip, ipdeny, iptoasn +# +# The default is "2" on new installations of csf, or set to "1" to use the +# MaxMind databases after obtaining a license key +CC_SRC = "1" + +# In the following options, specify the the two-letter ISO Country Code(s). +# The iptables rules are for incoming connections only +# +# Additionally, ASN numbers can also be added to the comma separated lists +# below that also list Country Codes. The same WARNINGS for Country Codes apply +# to the use of ASNs. More about Autonomous System Numbers (ASN): +# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml +# ASNs must be listed as ASnnnn (where nnnn is the ASN number) +# +# You should consider using LF_IPSET when using any of the following options +# +# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use +# non-geographic IP address designations for their clients +# +# WARNING: Some of the CIDR lists are huge and each one requires a rule within +# the incoming iptables chain. This can result in significant performance +# overheads and could render the server inaccessible in some circumstances. For +# this reason (amongst others) we do not recommend using these options +# +# WARNING: Due to the resource constraints on VPS servers this feature should +# not be used on such systems unless you choose very small CC zones +# +# WARNING: CC_ALLOW allows access through all ports in the firewall. For this +# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is +# preferred +# +# Each option is a comma separated list of CC's, e.g. "US,GB,DE" +CC_DENY = "" +CC_ALLOW = "" + +# An alternative to CC_ALLOW is to only allow access from the following +# countries but still filter based on the port and packets rules. All other +# connections are dropped +CC_ALLOW_FILTER = "" + +# This option allows access from the following countries to specific ports +# listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP +# +# Note: The rules for this feature are inserted after the allow and deny +# rules to still allow blocking of IP addresses +# +# Each option is a comma separated list of CC's, e.g. "US,GB,DE" +CC_ALLOW_PORTS = "" + +# All listed ports should be removed from TCP_IN/UDP_IN to block access from +# elsewhere. This option uses the same format as TCP_IN/UDP_IN +# +# An example would be to list port 21 here and remove it from TCP_IN/UDP_IN +# then only countries listed in CC_ALLOW_PORTS can access FTP +CC_ALLOW_PORTS_TCP = "" +CC_ALLOW_PORTS_UDP = "" + +# This option denies access from the following countries to specific ports +# listed in CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP +# +# Note: The rules for this feature are inserted after the allow and deny +# rules to still allow allowing of IP addresses +# +# Each option is a comma separated list of CC's, e.g. "US,GB,DE" +CC_DENY_PORTS = "" + +# This option uses the same format as TCP_IN/UDP_IN. The ports listed should +# NOT be removed from TCP_IN/UDP_IN +# +# An example would be to list port 21 here then countries listed in +# CC_DENY_PORTS cannot access FTP +CC_DENY_PORTS_TCP = "" +CC_DENY_PORTS_UDP = "" + +# This Country Code list will prevent lfd from blocking IP address hits for the +# listed CC's +# +# CC_LOOKUPS must be enabled to use this option +CC_IGNORE = "" + +# This Country Code list will only allow SMTP AUTH to be advertised to the +# listed countries in EXIM. This is to help limit attempts at distributed +# attacks against SMTP AUTH which are difficult to achive since port 25 needs +# to be open to relay email +# +# The reason why this works is that if EXIM does not advertise SMTP AUTH on a +# connection, then SMTP AUTH will not accept logins, defeating the attacks +# without restricting mail relaying +# +# This option can generate a very large list of IP addresses that could easily +# severely impact on SMTP (mail) performance, so care must be taken when +# selecting countries and if performance issues ensue +# +# The option SMTPAUTH_RESTRICT must be enabled to use this option +CC_ALLOW_SMTPAUTH = "" + +# These options can control which IP blocks are redirected to the MESSENGER +# service, if it is enabled +# +# If Country Codes are listed in CC_MESSENGER_ALLOW, then only a blocked IP +# that resolves to one of those Country Codes will be redirected to the +# MESSENGER service +# +# If Country Codes are listed in CC_MESSENGER_DENY, then a blocked IP that +# resolves to one of those Country Codes will NOT be redirected to the +# MESSENGER service +# +CC_MESSENGER_ALLOW = "" +CC_MESSENGER_DENY = "" + +# Set this option to a valid CIDR (i.e. 1 to 32) to ignore CIDR blocks smaller +# than this value when implementing CC_DENY/CC_ALLOW/CC_ALLOW_FILTER. This can +# help reduce the number of CC entries and may improve iptables throughput. +# Obviously, this will deny/allow fewer IP addresses depending on how small you +# configure the option +# +# For example, to ignore all CIDR (and single IP) entries small than a /16, set +# this option to "16". Set to "" to block all CC IP addresses +CC_DROP_CIDR = "" + +# Display Country Code and Country for reported IP addresses. This option can +# be configured to use the databases enabled at the top of this section. An +# additional option is also available if you cannot use those databases: +# +# "0" - disable +# "1" - Reports: Country Code and Country +# "2" - Reports: Country Code and Country and Region and City +# "3" - Reports: Country Code and Country and Region and City and ASN +# "4" - Reports: Country Code and Country and Region and City (db-ip.com) +# +# Note: "4" does not use the databases enabled at the top of this section +# directly for lookups. Instead it uses a URL-based lookup from +# https://db-ip.com and so avoids having to download and process the large +# databases. Please visit the https://db-ip.com and read their limitations and +# understand that this option will either cease to function or be removed by us +# if that site is abused or overloaded. ONLY use this option if you have +# difficulties using the databases enabled at the top of this section. This +# option is ONLY for IP lookups, NOT when using the CC_* options above, which +# will continue to use the databases enabled at the top of this section +# +CC_LOOKUPS = "2" + +# Display Country Code and Country for reported IPv6 addresses using the +# databases enabled at the top of this section +# +# "0" - disable +# "1" - enable and report the detail level as specified in CC_LOOKUPS +# +# This option must also be enabled to allow IPv6 support to CC_*, MESSENGER and +# PORTFLOOD +CC6_LOOKUPS = "0" + +# This option tells lfd how often to retrieve the databases for CC_ALLOW, +# CC_ALLOW_FILTER, CC_DENY, CC_IGNORE and CC_LOOKUPS (in days) +CC_INTERVAL = "7" + +############################################################################### +# SECTION:Login Failure Blocking and Alerts +############################################################################### +# The following[*] triggers are application specific. If you set LF_TRIGGER to +# "0" the value of each trigger is the number of failures against that +# application that will trigger lfd to block the IP address +# +# If you set LF_TRIGGER to a value greater than "0" then the following[*] +# application triggers are simply on or off ("0" or "1") and the value of +# LF_TRIGGER is the total cumulative number of failures that will trigger lfd +# to block the IP address +# +# Setting the application trigger to "0" disables it +LF_TRIGGER = "0" + +# If LF_TRIGGER is > "0" then LF_TRIGGER_PERM can be set to "1" to permanently +# block the IP address, or LF_TRIGGER_PERM can be set to a value greater than +# "1" and the IP address will be blocked temporarily for that value in seconds. +# For example: +# LF_TRIGGER_PERM = "1" => the IP is blocked permanently +# LF_TRIGGER_PERM = "3600" => the IP is blocked temporarily for 1 hour +# +# If LF_TRIGGER is "0", then the application LF_[application]_PERM value works +# in the same way as above and LF_TRIGGER_PERM serves no function +LF_TRIGGER_PERM = "1" + +# To only block access to the failed application instead of a complete block +# for an ip address, you can set the following to "1", but LF_TRIGGER must be +# set to "0" with specific application[*] trigger levels also set appropriately +# +# The ports that are blocked can be configured by changing the PORTS_* options +LF_SELECT = "1" + +# Send an email alert if an IP address is blocked by one of the [*] triggers +LF_EMAIL_ALERT = "0" + +# Send an email alert if an IP address is only temporarily blocked by one of +# the [*] triggers +# +# Note: LF_EMAIL_ALERT must still be enabled to get permanent block emails +LF_TEMP_EMAIL_ALERT = "1" + +# [*]Enable login failure detection of sshd connections +# +# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read +# this file about RESTRICT_SYSLOG before enabling this option: +LF_SSHD = "5" +LF_SSHD_PERM = "300" + +# [*]Enable login failure detection of ftp connections +# +# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read +# this file about RESTRICT_SYSLOG before enabling this option: +LF_FTPD = "5" +LF_FTPD_PERM = "300" + +# [*]Enable login failure detection of SMTP AUTH connections +LF_SMTPAUTH = "1" +LF_SMTPAUTH_PERM = "3600" + +# [*]Enable syntax failure detection of Exim connections +LF_EXIMSYNTAX = "5" +LF_EXIMSYNTAX_PERM = "1" + +# [*]Enable login failure detection of pop3 connections +# +# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read +# this file about RESTRICT_SYSLOG before enabling this option: +LF_POP3D = "10" +LF_POP3D_PERM = "300" + +# [*]Enable login failure detection of imap connections +# +# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read +# this file about RESTRICT_SYSLOG before enabling this option: +LF_IMAPD = "10" +LF_IMAPD_PERM = "300" + +# [*]Enable login failure detection of Apache .htpasswd connections +# Due to the often high logging rate in the Apache error log, you might want to +# enable this option only if you know you are suffering from attacks against +# password protected directories +LF_HTACCESS = "5" +LF_HTACCESS_PERM = "300" + +# [*]Enable failure detection of repeated Apache mod_security rule triggers +LF_MODSEC = "10" +LF_MODSEC_PERM = "900" + +# [*]Enable detection of repeated BIND denied requests +# This option should be enabled with care as it will prevent blocked IPs from +# resolving any domains on the server. You might want to set the trigger value +# reasonably high to avoid this +# Example: LF_BIND = "100" +LF_BIND = "100" +LF_BIND_PERM = "1" + +# [*]Enable detection of repeated suhosin ALERTs +# Example: LF_SUHOSIN = "5" +# +# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read +# this file about RESTRICT_SYSLOG before enabling this option: +LF_SUHOSIN = "10" +LF_SUHOSIN_PERM = "300" + +# [*]Enable detection of repeated cxs ModSecurity mod_security rule triggers +# This option will block IP addresses if cxs detects a hits from the +# ModSecurity rule associated with it +# +# Note: This option takes precedence over LF_MODSEC and removes any hits +# counted towards LF_MODSEC for the cxs rule +# +# This setting should probably set very low, perhaps to 1, if you want to +# effectively block IP addresses for this trigger option +LF_CXS = "1" +LF_CXS_PERM = "1" + +# [*]Enable detection of repeated Apache mod_qos rule triggers +LF_QOS = "1" +LF_QOS_PERM = "1" + +# [*]Enable detection of repeated Apache symlink race condition triggers from +# the Apache patch provided by: +# http://www.mail-archive.com/dev@httpd.apache.org/msg55666.html +# This patch has also been included by cPanel via the easyapache option: +# "Symlink Race Condition Protection" +LF_SYMLINK = "1" +LF_SYMLINK_PERM = "1" + +# [*]Enable login failure detection of webmin connections +# +# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read +# this file about RESTRICT_SYSLOG before enabling this option: +LF_WEBMIN = "1" +LF_WEBMIN_PERM = "1" + +# Send an email alert if anyone logs in successfully using SSH +# +# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read +# this file about RESTRICT_SYSLOG before enabling this option: +LF_SSH_EMAIL_ALERT = "1" + +# Send an email alert if anyone uses su to access another account. This will +# send an email alert whether the attempt to use su was successful or not +# +# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read +# this file about RESTRICT_SYSLOG before enabling this option: +LF_SU_EMAIL_ALERT = "1" + +# Send an email alert if anyone uses sudo to access another account. This will +# send an email alert whether the attempt to use sudo was successful or not +# +# NOTE: This option could become onerous if sudo is used extensively for root +# access by administrators or control panels. It is provided for those where +# this is not the case +# +# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read +# this file about RESTRICT_SYSLOG before enabling this option: +LF_SUDO_EMAIL_ALERT = "1" + +# Send an email alert if anyone accesses webmin +# +# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read +# this file about RESTRICT_SYSLOG before enabling this option: +LF_WEBMIN_EMAIL_ALERT = "0" + +# Send an email alert if anyone logs in successfully to root on the console +# +# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read +# this file about RESTRICT_SYSLOG before enabling this option: +LF_CONSOLE_EMAIL_ALERT = "1" + +# This option will keep track of the number of "File does not exist" errors in +# HTACCESS_LOG. If the number of hits is more than LF_APACHE_404 in LF_INTERVAL +# seconds then the IP address will be blocked +# +# Care should be used with this option as it could generate many +# false-positives, especially Search Bots (use csf.rignore to ignore such bots) +# so only use this option if you know you are under this type of attack +# +# A sensible setting for this would be quite high, perhaps 200 +# +# To disable set to "0" +LF_APACHE_404 = "0" + +# If this option is set to 1 the blocks will be permanent +# If this option is > 1, the blocks will be temporary for the specified number +# of seconds +LF_APACHE_404_PERM = "0" + +# This option will keep track of the number of "client denied by server +# configuration" errors in HTACCESS_LOG. If the number of hits is more than +# LF_APACHE_403 in LF_INTERVAL seconds then the IP address will be blocked +# +# Care should be used with this option as it could generate many +# false-positives, especially Search Bots (use csf.rignore to ignore such bots) +# so only use this option if you know you are under this type of attack +# +# A sensible setting for this would be quite high, perhaps 200 +# +# To disable set to "0" +LF_APACHE_403 = "0" + +# If this option is set to 1 the blocks will be permanent +# If this option is > 1, the blocks will be temporary for the specified number +# of seconds +LF_APACHE_403_PERM = "0" + +# This option will keep track of the number of 401 failures in HTACCESS_LOG. +# If the number of hits is more than LF_APACHE_401 in LF_INTERVAL seconds then +# the IP address will be blocked +# +# To disable set to "0" +LF_APACHE_401 = "0" + +# This option is used to determine if the Apache error_log format contains the +# client port after the client IP. In Apache prior to v2.4, this was not the +# case. In Apache v2.4+ the error_log format can be configured using +# ErrorLogFormat, making the port directive optional +# +# Unfortunately v2.4 ErrorLogFormat places the port number after a colon next +# to the client IP by default. This makes determining client IPv6 addresses +# difficult unless we know whether the port is being appended or not +# +# lfd will attempt to autodetect the correct value if this option is set to "0" +# from the httpd binary found in common locations. If it fails to find a binary +# it will be set to "2", unless specified here +# +# The value can be set here explicitly if the autodetection does not work: +# 0 - autodetect +# 1 - no port directive after client IP +# 2 - port directive after client IP +LF_APACHE_ERRPORT = "0" + +# If this option is set to 1 the blocks will be permanent +# If this option is > 1, the blocks will be temporary for the specified number +# of seconds +LF_APACHE_401_PERM = "3600" + +# This option will send an alert if the ModSecurity IP persistent storage grows +# excessively large: https://goo.gl/rGh5sF +# +# More information on cPanel servers here: https://goo.gl/vo6xTE +# +# LF_MODSECIPDB_FILE must be set to the correct location of the database file +# +# The check is performed at lfd startup and then once per hour, the template +# used is modsecipdbalert.txt +# +# Set to "0" to disable this option, otherwise it is the threshold size of the +# file to report in gigabytes, e.g. set to 5 for 5GB +LF_MODSECIPDB_ALERT = "0" + +# This is the location of the persistent IP storage file on the server, e.g.: +# /var/run/modsecurity/data/ip.pag +# /var/cpanel/secdatadir/ip.pag +# /var/cache/modsecurity/ip.pag +# /usr/local/apache/conf/modsec/data/msa/ip.pag +# /var/tmp/ip.pag +# /tmp/ip.pag +LF_MODSECIPDB_FILE = "/var/run/modsecurity/data/ip.pag" + +# System Exploit Checking. This option is designed to perform a series of tests +# to send an alert in case a possible server compromise is detected +# +# To enable this feature set the following to the checking interval in seconds +# (a value of 300 would seem sensible). +# +# To disable set to "0" +LF_EXPLOIT = "300" + +# This comma separated list allows you to ignore tests LF_EXPLOIT performs +# +# For the SUPERUSER check, you can list usernames in csf.suignore to have them +# ignored for that test +# +# Valid tests are: +# SUPERUSER +# +# If you want to ignore a test add it to this as a comma separated list, e.g. +# "SUPERUSER" +LF_EXPLOIT_IGNORE = "" + +# Set the time interval to track login and other LF_ failures within (seconds), +# i.e. LF_TRIGGER failures within the last LF_INTERVAL seconds +LF_INTERVAL = "300" + +# This is how long the lfd process sleeps (in seconds) before processing the +# log file entries and checking whether other events need to be triggered +LF_PARSE = "5" + +# This is the interval that is used to flush reports of usernames, files and +# pids so that persistent problems continue to be reported, in seconds. +# A value of 3600 seems sensible +LF_FLUSH = "3600" + +# Under some circumstances iptables can fail to include a rule instruction, +# especially if more than one request is made concurrently. In this event, a +# permanent block entry may exist in csf.deny, but not in iptables. +# +# This option instructs csf to deny an already blocked IP address the number +# of times set. The downside, is that there will be multiple entries for an IP +# address in csf.deny and possibly multiple rules for the same IP address in +# iptables. This needs to be taken into consideration when unblocking such IP +# addresses. +# +# Set to "0" to disable this feature. Do not set this too high for the reasons +# detailed above (e.g. "5" should be more than enough) +LF_REPEATBLOCK = "0" + +# By default csf will create both an inbound and outbound blocks from/to an IP +# unless otherwise specified in csf.deny and GLOBAL_DENY. This is the most +# effective way to block IP traffic. This option instructs csf to only block +# inbound traffic from those IP's and so reduces the number of iptables rules, +# but at the expense of less effectiveness. For this reason we recommend +# leaving this option disabled +# +# Set to "0" to disable this feature - the default +LF_BLOCKINONLY = "0" + +############################################################################### +# SECTION:CloudFlare +############################################################################### +# This features provides interaction with the CloudFlare Firewall +# +# As CloudFlare is a reverse proxy, any attacking IP addresses (so far as +# iptables is concerned) come from the CloudFlare IP's. To counter this, an +# Apache module (mod_cloudflare) is available that obtains the true attackers +# IP from a custom HTTP header record (similar functionality is available +# for other HTTP daemons +# +# However, despite now knowing the true attacking IP address, iptables cannot +# be used to block that IP as the traffic is still coming from the CloudFlare +# servers +# +# CloudFlare have provided a Firewall feature within the user account where +# rules can be added to block, challenge or whitelist IP addresses +# +# Using the CloudFlare API, this feature adds and removes attacking IPs from +# that firewall and provides CLI (and via the UI) additional commands +# +# See /etc/csf/readme.txt for more information about this feature and the +# restrictions for its use BEFORE enabling this feature +CF_ENABLE = "0" + +# This can be set to either "block" or "challenge" (see CloudFlare docs) +CF_BLOCK = "block" + +# This setting determines how long the temporary block will apply within csf +# and CloudFlare, keeping them in sync +# +# Block duration in seconds - overrides perm block or time of individual blocks +# in lfd for block triggers +CF_TEMP = "3600" + +############################################################################### +# SECTION:Directory Watching & Integrity +############################################################################### +# Enable Directory Watching. This enables lfd to check /tmp and /dev/shm +# directories for suspicious files, i.e. script exploits. If a suspicious +# file is found an email alert is sent. One alert per file per LF_FLUSH +# interval is sent +# +# To enable this feature set the following to the checking interval in seconds. +# To disable set to "0" +LF_DIRWATCH = "300" + +# To remove any suspicious files found during directory watching, enable the +# following. These files will be appended to a tarball in +# /var/lib/csf/suspicious.tar +LF_DIRWATCH_DISABLE = "1" + +# This option allows you to have lfd watch a particular file or directory for +# changes and should they change and email alert using watchalert.txt is sent +# +# To enable this feature set the following to the checking interval in seconds +# (a value of 60 would seem sensible) and add your entries to csf.dirwatch +# +# Set to disable set to "0" +LF_DIRWATCH_FILE = "0" + +# System Integrity Checking. This enables lfd to compare md5sums of the +# servers OS binary application files from the time when lfd starts. If the +# md5sum of a monitored file changes an alert is sent. This option is intended +# as an IDS (Intrusion Detection System) and is the last line of detection for +# a possible root compromise. +# +# There will be constant false-positives as the servers OS is updated or +# monitored application binaries are updated. However, unexpected changes +# should be carefully inspected. +# +# Modified files will only be reported via email once. +# +# To enable this feature set the following to the checking interval in seconds +# (a value of 3600 would seem sensible). This option may increase server I/O +# load onto the server as it checks system binaries. +# +# To disable set to "0" +LF_INTEGRITY = "3600" + +############################################################################### +# SECTION:Distributed Attacks +############################################################################### +# Distributed Account Attack. This option will keep track of login failures +# from distributed IP addresses to a specific application account. If the +# number of failures matches the trigger value above, ALL of the IP addresses +# involved in the attack will be blocked according to the temp/perm rules above +# +# Tracking applies to LF_SSHD, LF_FTPD, LF_SMTPAUTH, LF_POP3D, LF_IMAPD, +# LF_HTACCESS +# +# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read +# this file about RESTRICT_SYSLOG before enabling this option: +LF_DISTATTACK = "1" + +# Set the following to the minimum number of unique IP addresses that trigger +# LF_DISTATTACK +LF_DISTATTACK_UNIQ = "2" + +# Distributed FTP Logins. This option will keep track of successful FTP logins. +# If the number of successful logins to an individual account is at least +# LF_DISTFTP in LF_DIST_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses, +# then all of the IP addresses will be blocked +# +# This option can help mitigate the common FTP account compromise attacks that +# use a distributed network of zombies to deface websites +# +# A sensible setting for this might be 5, depending on how many different +# IP addresses you expect to an individual FTP account within LF_DIST_INTERVAL +# +# To disable set to "0" +# +# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read +# this file about RESTRICT_SYSLOG before enabling this option: +LF_DISTFTP = "5" + +# Set the following to the minimum number of unique IP addresses that trigger +# LF_DISTFTP. LF_DISTFTP_UNIQ must be <= LF_DISTFTP for this to work +LF_DISTFTP_UNIQ = "3" + +# If this option is set to 1 the blocks will be permanent +# If this option is > 1, the blocks will be temporary for the specified number +# of seconds +LF_DISTFTP_PERM = "1" + +# Send an email alert if LF_DISTFTP is triggered +LF_DISTFTP_ALERT = "1" + +# Distributed SMTP Logins. This option will keep track of successful SMTP +# logins. If the number of successful logins to an individual account is at +# least LF_DISTSMTP in LF_DIST_INTERVAL from at least LF_DISTSMTP_UNIQ IP +# addresses, then all of the IP addresses will be blocked. These options only +# apply to the exim MTA +# +# This option can help mitigate the common SMTP account compromise attacks that +# use a distributed network of zombies to send spam +# +# A sensible setting for this might be 5, depending on how many different +# IP addresses you expect to an individual SMTP account within LF_DIST_INTERVAL +# +# To disable set to "0" +LF_DISTSMTP = "5" + +# Set the following to the minimum number of unique IP addresses that trigger +# LF_DISTSMTP. LF_DISTSMTP_UNIQ must be <= LF_DISTSMTP for this to work +LF_DISTSMTP_UNIQ = "3" + +# If this option is set to 1 the blocks will be permanent +# If this option is > 1, the blocks will be temporary for the specified number +# of seconds +LF_DISTSMTP_PERM = "1" + +# Send an email alert if LF_DISTSMTP is triggered +LF_DISTSMTP_ALERT = "1" + +# This is the interval during which a distributed FTP or SMTP attack is +# measured +LF_DIST_INTERVAL = "300" + +# If LF_DISTFTP or LF_DISTSMTP is triggered, then if the following contains the +# path to a script, it will run the script and pass the following as arguments: +# +# LF_DISTFTP/LF_DISTSMTP +# account name +# log file text +# +# The action script must have the execute bit and interpreter (shebang) set +LF_DIST_ACTION = "" + +############################################################################### +# SECTION:Login Tracking +############################################################################### +# Block POP3 logins if greater than LT_POP3D times per hour per account per IP +# address (0=disabled) +# +# This is a temporary block for the rest of the hour, afterwhich the IP is +# unblocked +# +# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read +# this file about RESTRICT_SYSLOG before enabling this option: +LT_POP3D = "0" + +# Block IMAP logins if greater than LT_IMAPD times per hour per account per IP +# address (0=disabled) - not recommended for IMAP logins due to the ethos +# within which IMAP works. If you want to use this, setting it quite high is +# probably a good idea +# +# This is a temporary block for the rest of the hour, afterwhich the IP is +# unblocked +# +# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read +# this file about RESTRICT_SYSLOG before enabling this option: +LT_IMAPD = "0" + +# Send an email alert if an account exceeds LT_POP3D/LT_IMAPD logins per hour +# per IP +LT_EMAIL_ALERT = "1" + +# If LF_PERMBLOCK is enabled but you do not want this to apply to +# LT_POP3D/LT_IMAPD, then enable this option +LT_SKIPPERMBLOCK = "1" + +############################################################################### +# SECTION:Connection Tracking +############################################################################### +# Connection Tracking. This option enables tracking of all connections from IP +# addresses to the server. If the total number of connections is greater than +# this value then the offending IP address is blocked. This can be used to help +# prevent some types of DOS attack. +# +# Care should be taken with this option. It's entirely possible that you will +# see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD +# and HTTP so it could be quite easy to trigger, especially with a lot of +# closed connections in TIME_WAIT. However, for a server that is prone to DOS +# attacks this may be very useful. A reasonable setting for this option might +# be around 300. +# +# To disable this feature, set this to 0 +CT_LIMIT = "15" + +# Connection Tracking interval. Set this to the the number of seconds between +# connection tracking scans +CT_INTERVAL = "60" + +# Send an email alert if an IP address is blocked due to connection tracking +CT_EMAIL_ALERT = "1" + +# If you want to make IP blocks permanent then set this to 1, otherwise blocks +# will be temporary and will be cleared after CT_BLOCK_TIME seconds +CT_PERMANENT = "0" + +# If you opt for temporary IP blocks for CT, then the following is the interval +# in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins) +CT_BLOCK_TIME = "3600" + +# If you don't want to count the TIME_WAIT state against the connection count +# then set the following to "1" +CT_SKIP_TIME_WAIT = "1" + +# If you only want to count specific states (e.g. SYN_RECV) then add the states +# to the following as a comma separated list. E.g. "SYN_RECV,TIME_WAIT" +# +# Leave this option empty to count all states against CT_LIMIT +CT_STATES = "" + +# If you only want to count specific ports (e.g. 80,443) then add the ports +# to the following as a comma separated list. E.g. "80,443" +# +# Leave this option empty to count all ports against CT_LIMIT +CT_PORTS = "25,26,465,587" + +# If the total number of connections from a class C subnet is greater than this +# value then the offending subnet is blocked according to the other CT_* +# settings +# +# This option can be used to help prevent some types of DOS attack where a +# range of IP's between x.y.z.1-255 has connected to the server +# +# If you use a reverse proxy service such as Cloudflare you should not enable +# this option, or should exclude the ports that you have proxied in CT_PORTS +# +# To disable this feature, set this to 0 +CT_SUBNET_LIMIT = "0" + +############################################################################### +# SECTION:Process Tracking +############################################################################### +# Process Tracking. This option enables tracking of user and nobody processes +# and examines them for suspicious executables or open network ports. Its +# purpose is to identify potential exploit processes that are running on the +# server, even if they are obfuscated to appear as system services. If a +# suspicious process is found an alert email is sent with relevant information. +# It is then the responsibility of the recipient to investigate the process +# further as the script takes no further action +# +# The following is the number of seconds a process has to be active before it +# is inspected. If you set this time too low, then you will likely trigger +# false-positives with CGI or PHP scripts. +# Set the value to 0 to disable this feature +PT_LIMIT = "60" + +# How frequently processes are checked in seconds +PT_INTERVAL = "60" + +# If you want process tracking to highlight php or perl scripts that are run +# through apache then disable the following, +# i.e. set it to 0 +# +# While enabling this setting will reduce false-positives, having it set to 0 +# does provide better checking for exploits running on the server +PT_SKIP_HTTP = "0" + +# lfd will report processes, even if they're listed in csf.pignore, if they're +# tagged as (deleted) by Linux. This information is provided in Linux under +# /proc/PID/exe. A (deleted) process is one that is running a binary that has +# the inode for the file removed from the file system directory. This usually +# happens when the binary has been replaced due to an upgrade for it by the OS +# vendor or another third party (e.g. cPanel). You need to investigate whether +# this is indeed the case to be sure that the original binary has not been +# replaced by a rootkit or is running an exploit. +# +# Note: If a deleted executable process is detected and reported then lfd will +# not report children of the parent (or the parent itself if a child triggered +# the report) if the parent is also a deleted executable process +# +# To stop lfd reporting such process you need to restart the daemon to which it +# belongs and therefore run the process using the replacement binary (presuming +# one exists). This will normally mean running the associated startup script in +# /etc/init.d/ +# +# If you do want lfd to report deleted binary processes, set to 1 +PT_DELETED = "1" + +# If a PT_DELETED event is triggered, then if the following contains the path to +# a script, it will be run in a child process and passed the executable, pid, +# account for the process, and parent pid +# +# The action script must have the execute bit and interpreter (shebang) set. An +# example is provided in /usr/local/csf/bin/pt_deleted_action.pl +# +# WARNING: Make sure you read and understand the potential security +# implications of such processes in PT_DELETED above before simply restarting +# such processes with a script +PT_DELETED_ACTION = "" + +# User Process Tracking. This option enables the tracking of the number of +# process any given account is running at one time. If the number of processes +# exceeds the value of the following setting an email alert is sent with +# details of those processes. If you specify a user in csf.pignore it will be +# ignored +# +# Set to 0 to disable this feature +PT_USERPROC = "0" + +# This User Process Tracking option sends an alert if any user process exceeds +# the virtual memory usage set (MB). To ignore specific processes or users use +# csf.pignore +# +# Set to 0 to disable this feature +PT_USERMEM = "0" + +# This User Process Tracking option sends an alert if any user process exceeds +# the RSS memory usage set (MB) - RAM used, not virtual. To ignore specific +# processes or users use csf.pignore +# +# Set to 0 to disable this feature +PT_USERRSS = "0" + +# This User Process Tracking option sends an alert if any linux user process +# exceeds the time usage set (seconds). To ignore specific processes or users +# use csf.pignore +# +# Set to 0 to disable this feature +PT_USERTIME = "0" + +# If this option is set then processes detected by PT_USERMEM, PT_USERTIME or +# PT_USERPROC are killed +# +# Warning: We don't recommend enabling this option unless absolutely necessary +# as it can cause unexpected problems when processes are suddenly terminated. +# It can also lead to system processes being terminated which could cause +# stability issues. It is much better to leave this option disabled and to +# investigate each case as it is reported when the triggers above are breached +# +# Note: Processes that are running deleted excecutables (see PT_DELETED) will +# not be killed by lfd +PT_USERKILL = "0" + +# If you want to disable email alerts if PT_USERKILL is triggered, then set +# this option to 0 +PT_USERKILL_ALERT = "1" + +# If a PT_* event is triggered, then if the following contains the path to +# a script, it will be run in a child process and passed the PID(s) of the +# process(es) in a comma separated list. +# +# The action script must have the execute bit and interpreter (shebang) set +PT_USER_ACTION = "" + +# Check the PT_LOAD_AVG minute Load Average (can be set to 1 5 or 15 and +# defaults to 5 if set otherwise) on the server every PT_LOAD seconds. If the +# load average is greater than or equal to PT_LOAD_LEVEL then an email alert is +# sent. lfd then does not report subsequent high load until PT_LOAD_SKIP +# seconds has passed to prevent email floods. +# +# Set PT_LOAD to "0" to disable this feature +PT_LOAD = "30" +PT_LOAD_AVG = "5" +PT_LOAD_LEVEL = "6" +PT_LOAD_SKIP = "1800" + +# This is the Apache Server Status URL used in the email alert. Requires the +# Apache mod_status module to be installed and configured correctly +PT_APACHESTATUS = "" + +# If a PT_LOAD event is triggered, then if the following contains the path to +# a script, it will be run in a child process. For example, the script could +# contain commands to terminate and restart httpd, php, exim, etc incase of +# looping processes. The action script must have the execute bit an +# interpreter (shebang) set +PT_LOAD_ACTION = "" + +# Fork Bomb Protection. This option checks the number of processes with the +# same session id and if greater than the value set, the whole session tree is +# terminated and an alert sent +# +# You can see an example of common session id processes on most Linux systems +# using: "ps axf -O sid" +# +# On cPanel servers, PT_ALL_USERS should be enabled to use this option +# effectively +# +# This option will check root owned processes. Session id 0 and 1 will always +# be ignored as they represent kernel and init processes. csf.pignore will be +# honoured, but bear in mind that a session tree can contain a variety of users +# and executables +# +# Care needs to be taken to ensure that this option only detects runaway fork +# bombs, so should be set higher than any session tree is likely to get (e.g. +# httpd could have 100s of legitimate children on very busy systems). A +# sensible starting point on most servers might be 250 +PT_FORKBOMB = "250" + +# Terminate hung SSHD sessions. When under an SSHD login attack, SSHD processes +# are often left hanging after their connecting IP addresses have been blocked +# +# This option will terminate the SSH processes created by the blocked IP. This +# option is preferred over PT_SSHDHUNG +PT_SSHDKILL = "1" + +# This option will terminate all processes with the cmdline of "sshd: unknown +# [net]" or "sshd: unknown [priv]" if they have been running for more than 60 +# seconds +PT_SSHDHUNG = "0" + +############################################################################### +# SECTION:Port Scan Tracking +############################################################################### +# Port Scan Tracking. This feature tracks port blocks logged by iptables to +# syslog. If an IP address generates a port block that is logged more than +# PS_LIMIT within PS_INTERVAL seconds, the IP address will be blocked. +# +# This feature could, for example, be useful for blocking hackers attempting +# to access the standard SSH port if you have moved it to a port other than 22 +# and have removed 22 from the TCP_IN list so that connection attempts to the +# old port are being logged +# +# This feature blocks all iptables blocks from the iptables logs, including +# repeated attempts to one port or SYN flood blocks, etc +# +# Note: This feature will only track iptables blocks from the log file set in +# IPTABLES_LOG below and if you have DROP_LOGGING enabled. However, it will +# cause redundant blocking with DROP_IP_LOGGING enabled +# +# Warning: It's possible that an elaborate DDOS (i.e. from multiple IP's) +# could very quickly fill the iptables rule chains and cause a DOS in itself. +# The DENY_IP_LIMIT should help to mitigate such problems with permanent blocks +# and the DENY_TEMP_IP_LIMIT with temporary blocks +# +# Set PS_INTERVAL to "0" to disable this feature. A value of between 60 and 300 +# would be sensible to enable this feature +# +# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read +# this file about RESTRICT_SYSLOG before enabling this option: +PS_INTERVAL = "60" +PS_LIMIT = "15" + +# You can specify the ports and/or port ranges that should be tracked by the +# Port Scan Tracking feature. The following setting is a comma separated list +# of those ports and uses the same format as TCP_IN. The setting of +# 0:65535,ICMP,INVALID,OPEN,BRD covers all ports +# +# Special values are: +# ICMP - include ICMP blocks (see ICMP_*) +# INVALID - include INVALID blocks (see PACKET_FILTER) +# OPEN - include TCP_IN and UDP_IN open port blocks - *[proto]_IN Blocked* +# BRD - include UDP Broadcast IPs, otherwise they are ignored +PS_PORTS = "0:65535,ICMP" + +# To specify how many different ports qualifies as a Port Scan you can increase +# the following from the default value of 1. The risk in doing so will mean +# that persistent attempts to attack a specific closed port will not be +# detected and blocked +PS_DIVERSITY = "1" + +# You can select whether IP blocks for Port Scan Tracking should be temporary +# or permanent. Set PS_PERMANENT to "0" for temporary and "1" for permanent +# blocking. If set to "0" PS_BLOCK_TIME is the amount of time in seconds to +# temporarily block the IP address for +PS_PERMANENT = "0" +PS_BLOCK_TIME = "1800" + +# Set the following to "1" to enable Port Scan Tracking email alerts, set to +# "0" to disable them +PS_EMAIL_ALERT = "1" + +############################################################################### +# SECTION:User ID Tracking +############################################################################### +# User ID Tracking. This feature tracks UID blocks logged by iptables to +# syslog. If a UID generates a port block that is logged more than UID_LIMIT +# times within UID_INTERVAL seconds, an alert will be sent +# +# Note: This feature will only track iptables blocks from the log file set in +# IPTABLES_LOG and if DROP_OUT_LOGGING and DROP_UID_LOGGING are enabled. +# +# To ignore specific UIDs list them in csf.uidignore and then restart lfd +# +# Set UID_INTERVAL to "0" to disable this feature. A value of between 60 and 300 +# would be sensible to enable this feature +# +# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read +# this file about RESTRICT_SYSLOG before enabling this option: +UID_INTERVAL = "0" +UID_LIMIT = "10" + +# You can specify the ports and/or port ranges that should be tracked by the +# User ID Tracking feature. The following setting is a comma separated list +# of those ports and uses the same format as TCP_OUT. The default setting of +# 0:65535,ICMP covers all ports +UID_PORTS = "0:65535,ICMP" + +############################################################################### +# SECTION:Account Tracking +############################################################################### +# Account Tracking. The following options enable the tracking of modifications +# to the accounts on a server. If any of the enabled options are triggered by +# a modifications to an account, an alert email is sent. Only the modification +# is reported. The cause of the modification will have to be investigated +# manually +# +# You can set AT_ALERT to the following: +# 0 = disable this feature +# 1 = enable this feature for all accounts +# 2 = enable this feature only for superuser accounts (UID = 0, e.g. root, etc) +# 3 = enable this feature only for the root account +AT_ALERT = "1" + +# This options is the interval between checks in seconds +AT_INTERVAL = "60" + +# Send alert if a new account is created +AT_NEW = "1" + +# Send alert if an existing account is deleted +AT_OLD = "1" + +# Send alert if an account password has changed +AT_PASSWD = "1" + +# Send alert if an account uid has changed +AT_UID = "1" + +# Send alert if an account gid has changed +AT_GID = "1" + +# Send alert if an account login directory has changed +AT_DIR = "1" + +# Send alert if an account login shell has changed +AT_SHELL = "1" + +############################################################################### +# SECTION:Integrated User Interface +############################################################################### +# Integrated User Interface. This feature provides a HTML UI to csf and lfd, +# without requiring a control panel or web server. The UI runs as a sub process +# to the lfd daemon +# +# As it runs under the root account and successful login provides root access +# to the server, great care should be taken when configuring and using this +# feature. There are additional restrictions to enhance secure access to the UI +# +# See readme.txt for more information about using this feature BEFORE enabling +# it for security and access reasons +# +# 1 to enable, 0 to disable +UI = "1" + +# Set this to the port that want to bind this service to. You should configure +# this port to be >1023 and different from any other port already being used +# +# Do NOT enable access to this port in TCP_IN, instead only allow trusted IP's +# to the port using Advanced Allow Filters (see readme.txt) +UI_PORT = "1908" + +# Optionally set the IP address to bind to. Normally this should be left blank +# to bind to all IP addresses on the server. +# +# If the server is configured for IPv6 but the IP to bind to is IPv4, then the +# IP address MUST use the IPv6 representation. For example 1.2.3.4 must use +# ::ffff:1.2.3.4 +# +# Leave blank to bind to all IP addresses on the server +UI_IP = "" + +# This should be a secure, hard to guess username +# +# This must be changed from the default +UI_USER = "csfadmin" + +# This should be a secure, hard to guess password. That is, at least 8 +# characters long with a mixture of upper and lowercase characters plus +# numbers and non-alphanumeric characters +# +# This must be changed from the default +UI_PASS = "d8z4a80" + +# This is the login session timeout. If there is no activity for a logged in +# session within this number of seconds, the session will timeout and a new +# login will be required +# +# For security reasons, you should always keep this option low (i.e 60-300) +UI_TIMEOUT = "300" + +# This is the maximum concurrent connections allowed to the server. The default +# value should be sufficient +UI_CHILDREN = "3" + +# The number of login retries allowed within a 24 hour period. A successful +# login from the IP address will clear the failures +# +# For security reasons, you should always keep this option low (i.e 0-10) +UI_RETRY = "5" + +# If enabled, this option will add the connecting IP address to the file +# /etc/csf/ui/ui.ban after UI_RETRY login failures. The IP address will not be +# able to login to the UI while it is listed in this file. The UI_BAN setting +# does not refer to any of the csf/lfd allow or ignore files, e.g. csf.allow, +# csf.ignore, etc. +# +# For security reasons, you should always enable this option +UI_BAN = "1" + +# If enabled, only IPs (or CIDR's) listed in the file /etc/csf/ui/ui.allow will +# be allowed to login to the UI. The UI_ALLOW setting does not refer to any of +# the csf/lfd allow or ignore files, e.g. csf.allow, csf.ignore, etc. +# +# For security reasons, you should always enable this option and use ui.allow +UI_ALLOW = "1" + +# If enabled, this option will trigger an iptables block through csf after +# UI_RETRY login failures +# +# 0 = no block;1 = perm block;nn=temp block for nn secs +UI_BLOCK = "1" + +# This controls what email alerts are sent with regards to logins to the UI. It +# uses the uialert.txt template +# +# 4 = login success + login failure/ban/block + login attempts +# 3 = login success + login failure/ban/block +# 2 = login failure/ban/block +# 1 = login ban/block +# 0 = disabled +UI_ALERT = "4" + +# This is the SSL cipher list that the Integrated UI will negotiate from +UI_CIPHER = "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH" + +# This is the SSL protocol version used. See IO::Socket::SSL if you wish to +# change this and to understand the implications of changing it +UI_SSL_VERSION = "SSLv23:!SSLv2" + +# If cxs is installed then enabling this option will provide a dropdown box to +# switch between applications +UI_CXS = "1" + +# There is a modified installation of ConfigServer Explorer (cse) provided with +# the csf distribution. If this option is enabled it will provide a dropdown +# box to switch between applications +UI_CSE = "1" + +############################################################################### +# SECTION:Messenger service +############################################################################### +# Messenger service. This feature allows the display of a message to a blocked +# connecting IP address to inform the user that they are blocked in the +# firewall. This can help when users get themselves blocked, e.g. due to +# multiple login failures. The service is provided by two daemons running on +# ports providing either an HTML or TEXT message +# +# This feature does not work on servers that do not have the iptables module +# ipt_REDIRECT loaded. Typically, this will be with MONOLITHIC kernels. VPS +# server admins should check with their VPS host provider that the iptables +# module is included +# +# IPv6 will need the IO::Socket::INET6 perl module +# +# For further information on features and limitations refer to the csf +# readme.txt +# +# Note: Run /etc/csf/csftest.pl to check whether this option will function on +# this server +# +# 1 to enable, 0 to disable +MESSENGER = "1" + +# Provide this service to temporary IP address blocks +MESSENGER_TEMP = "1" + +# Provide this service to permanent IP address blocks +MESSENGER_PERM = "1" + +# User account to run the service servers under. We recommend creating a +# specific non-priv, non-shell account for this purpose +# +# Note: When using MESSENGERV2, this account must NOT be a valid control panel +# account, it must be created manually as explained in the csf readme.txt +MESSENGER_USER = "csf" + +# This option points to the file(s) containing the Apache VirtualHost SSL +# definitions. This can be a file glob if there are multiple files to search. +# Only Apache v2 SSL VirtualHost definitions are supported +# +# This is used by MESSENGERV1 and MESSENGERV2 only +MESSENGER_HTTPS_CONF = "/etc/httpd/conf.d/ssl.conf" + +# The following options can be specified to provide a default fallback +# certificate to be used if either SNI is not supported or a hosted domain does +# not have an SSL certificate. If a fallback is not provided, one of the certs +# obtained from MESSENGER_HTTPS_CONF will be used +# +# This is used by MESSENGERV1 and MESSENGERV2 only +MESSENGER_HTTPS_KEY = "/etc/pki/tls/private/localhost.key" +MESSENGER_HTTPS_CRT = "/etc/pki/tls/certs/localhost.crt" + +# Set this to the port that will receive the HTTPS HTML message. You should +# configure this port to be >1023 and different from the TEXT and HTML port. Do +# NOT enable access to this port in TCP_IN. This option requires the perl +# module IO::Socket::SSL at a version level that supports SNI (1.83+). +# Additionally the version of openssl on the server must also support SNI +# +# The option uses existing SSL certificates on the server for each domain to +# maintain a secure connection without browser warnings. It uses SNI to choose +# the correct certificate to use for each client connection +# +# Warning: On some servers the amount of memory used by the HTTPS MESSENGER +# service can become significant depending on various factors associated with +# the use of IO::Socket::SSL including the number of domains and certificates +# served. This is normally only an issue if using MESSENGERV1 +MESSENGER_HTTPS = "8887" + +# This comma separated list are the HTTPS HTML ports that will be redirected +# for the blocked IP address. If you are using per application blocking +# (LF_TRIGGER) then only the relevant block port will be redirected to the +# messenger port +# +# Recommended setting "443" plus any end-user control panel SSL ports. So, for +# cPanel: "443,2083,2096" +MESSENGER_HTTPS_IN = "" + +# Set this to the port that will receive the HTML message. You should configure +# this port to be >1023 and different from the TEXT port. Do NOT enable access +# to this port in TCP_IN +MESSENGER_HTML = "8888" + +# This comma separated list are the HTML ports that will be redirected for the +# blocked IP address. If you are using per application blocking (LF_TRIGGER) +# then only the relevant block port will be redirected to the messenger port +MESSENGER_HTML_IN = "80,2082,2093,2095" + +# Set this to the port that will receive the TEXT message. You should configure +# this port to be >1023 and different from the HTML port. Do NOT enable access +# to this port in TCP_IN +MESSENGER_TEXT = "8889" + +# This comma separated list are the TEXT ports that will be redirected for the +# blocked IP address. If you are using per application blocking (LF_TRIGGER) +# then only the relevant block port will be redirected to the messenger port +MESSENGER_TEXT_IN = "21" + +# These settings limit the rate at which connections can be made to the +# messenger service servers. Its intention is to provide protection from +# attacks or excessive connections to the servers. If the rate is exceeded then +# iptables will revert for the duration to the normal blocking activity +# +# See the iptables man page for the correct --limit rate syntax +MESSENGER_RATE = "15/m" +MESSENGER_BURST = "150" + +# MESSENGERV1 only: +#------------------------------------------------------------------------------ +# This is the maximum concurrent connections allowed to each service server +# +# Note: This number should be increased to cater for the number of local images +# served by this page, including one for favicon.ico. This is because each +# image displayed counts as an additional connection +MESSENGER_CHILDREN = "5" + +# This options ignores ServerAlias definitions that begin with "mail.". This +# can help reduce memory usage on systems that do not require the use of +# MESSENGER_HTTPS on those subdomains +# +# Set to 0 to include these ServerAlias definitions +MESSENGER_HTTPS_SKIPMAIL = "1" + +# MESSENGERV2 only: +#------------------------------------------------------------------------------ +# MESSENGERV2. This option is available on cPanel servers running Apache v2.4+ +# under EA4. +# +# This uses the Apache http daemon to provide the web server functionality for +# the MESSENGER HTML and HTTPS services. It uses a fraction of the resources +# that the lfd inbuilt service uses and overcomes the memory overhead of using +# the MESSENGER HTTPS service +# +# For more information consult readme.txt before enabling this option +#MESSENGERV2 = "0" + +# MESSENGERV3 only: +#------------------------------------------------------------------------------ +# MESSENGERV3. This option is available on any server running Apache v2.4+, +# Litespeed or Openlitespeed +# +# This uses the web server http daemon to provide the web server functionality +# for the MESSENGER HTML and HTTPS services. It uses a fraction of the +# resources that the lfd inbuilt service uses and overcomes the memory overhead +# of using the MESSENGER HTTPS service +# +# For more information consult readme.txt before enabling this option +MESSENGERV3 = "0" + +# This is the file or directory where the additional web server configuration +# file should be included +MESSENGERV3LOCATION = "/etc/httpd/conf.d/" + +# This is the command to restart the web server +MESSENGERV3RESTART = "service httpd restart" + +# This is the command to test the validity of the web server configuration. If +# using Litespeed, set to "" +MESSENGERV3TEST = "/usr/sbin/apachectl -t" + +# This must be set to the main httpd.conf file for either Apache or Litespeed +MESSENGERV3HTTPS_CONF = "/etc/httpd/conf/httpd.conf" + +# This can be set to either: +# "apache" - for servers running Apache v2.4+ or Litespeed using Apache +# configuration +# "litespeed" - for Litespeed or Openlitespeed +MESSENGERV3WEBSERVER = "apache" + +# On creation, set the MESSENGER_USER public_html directory permissions to +# Note: If you precreate this directory the following setting will be ignored +MESSENGERV3PERMS = "711" + +# On creation, set the MESSENGER_USER public_html directory group user to +# Note: If you precreate this directory the following setting will be ignored +MESSENGERV3GROUP = "apache" + +# This is the web server configuration to allow PHP scripts to run. If left +# empty, the MESSENGER service will try to configure this. If this does not +# work, this should be set as an "Include /path/to/csf_php.conf" or similar +# file which must contain appropriate web server configuration to allow PHP +# scripts to run. This line will be included within each MESSENGER VirtualHost +# container. This will replace the [MESSENGERV3PHPHANDLER] line from the csf +# webserver template files +MESSENGERV3PHPHANDLER = "" + +# RECAPTCHA: +#------------------------------------------------------------------------------ +# The RECAPTCHA options provide a way for end-users that have blocked +# themselves in the firewall to unblock themselves. +# +# A valid Google ReCAPTCHA (v2) key set is required for this feature from: +# https://www.google.com/recaptcha/intro/index.html +# +# When configuring a new reCAPTCHA API key set you must ensure that the option +# for "Domain Name Validation" is unticked so that the same reCAPTCHA can be +# used for all domains hosted on the server. lfd then checks that the hostname +# of the request resolves to an IP on this server +# +# This feature requires the installation of the LWP::UserAgent perl module (see +# option URLGET for more details) +# +# The template used for this feature is /etc/csf/messenger/index.recaptcha.html +# +# Note: An unblock will fail if the end-users IP is located in a netblock, +# blocklist or CC_* deny entry +RECAPTCHA_SITEKEY = "" +RECAPTCHA_SECRET = "" + +# Send an email when an IP address successfully attempts to unblock themselves. +# This does not necessarily mean the IP was unblocked, only that the +# post-recaptcha unblock request was attempted +# +# Set to "0" to disable +RECAPTCHA_ALERT = "1" + +# If the server uses NAT then resolving the hostname to hosted IPs will likely +# not succeed. In that case, the external IP addresses must be listed as comma +# separated list here +RECAPTCHA_NAT = "" + +############################################################################### +# SECTION:lfd Clustering +############################################################################### +# lfd Clustering. This allows the configuration of an lfd cluster environment +# where a group of servers can share blocks and configuration option changes. +# Included are CLI and UI options to send requests to the cluster. +# +# See the readme.txt file for more information and details on setup and +# security risks. +# +# Set this to a comma separated list of cluster member IP addresses to send +# requests to. Alternatively, it can be set to the full path of a file that +# will read in one IP per line, e.g.: +# "/etc/csf/cluster_sendto.txt" +CLUSTER_SENDTO = "" + +# Set this to a comma separated list of cluster member IP addresses to receive +# requests from. Alternatively, it can be set to the full path of a file that +# will read in one IP per line, e.g.: +# "/etc/csf/cluster_recvfrom.txt" +CLUSTER_RECVFROM = "" + +# IP address of the master node in the cluster allowed to send CLUSTER_CONFIG +# changes +CLUSTER_MASTER = "" + +# If this is a NAT server, set this to the public IP address of this server +CLUSTER_NAT = "" + +# If a cluster member should send requests on an IP other than the default IP, +# set it here +CLUSTER_LOCALADDR = "" + +# Cluster communication port (must be the same on all member servers). There +# is no need to open this port in the firewall as csf will automatically add +# in and out bound rules to allow communication between cluster members +CLUSTER_PORT = "7777" + +# This is a secret key used to encrypt cluster communications using the +# Blowfish algorithm. It should be between 8 and 56 characters long, +# preferably > 20 random characters +# 56 chars: 01234567890123456789012345678901234567890123456789012345 +CLUSTER_KEY = "" + +# Automatically send lfd blocks to all members of CLUSTER_SENDTO. Those +# servers must have this servers IP address listed in their CLUSTER_RECVFROM +# +# Set to 0 to disable this feature +CLUSTER_BLOCK = "1" + +# This option allows the enabling and disabling of the Cluster configuration +# changing options --cconfig, --cconfigr, --cfile, --ccfile sent from the +# CLUSTER_MASTER server +# +# Set this option to 1 to allow Cluster configurations to be received +CLUSTER_CONFIG = "0" + +# Maximum number of child processes to listen on. High blocking rates or large +# clusters may need to increase this +CLUSTER_CHILDREN = "10" + +############################################################################### +# SECTION:Port Knocking +############################################################################### +# Port Knocking. This feature allows port knocking to be enabled on multiple +# ports with a variable number of knocked ports and a timeout. There must be a +# minimum of 3 ports to knock for an entry to be valid +# +# See the following for information regarding Port Knocking: +# http://www.portknocking.org/ +# +# This feature does not work on servers that do not have the iptables module +# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS +# server admins should check with their VPS host provider that the iptables +# module is included +# +# For further information and syntax refer to the Port Knocking section of the +# csf readme.txt +# +# Note: Run /etc/csf/csftest.pl to check whether this option will function on +# this server +# +# openport;protocol;timeout;kport1;kport2;kport3[...;kportN],... +# e.g.: 22;TCP;20;100;200;300;400 +PORTKNOCKING = "" + +# Enable PORTKNOCKING logging by iptables +PORTKNOCKING_LOG = "1" + +# Send an email alert if the PORTKNOCKING port is opened. PORTKNOCKING_LOG must +# also be enabled to use this option +# +# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read +# this file about RESTRICT_SYSLOG before enabling this option: +PORTKNOCKING_ALERT = "1" + +############################################################################### +# SECTION:Log Scanner +############################################################################### +# Log Scanner. This feature will send out an email summary of the log lines of +# each log listed in /etc/csf/csf.logfiles. All lines will be reported unless +# they match a regular expression in /etc/csf/csf.logignore +# +# File globbing is supported for logs listed in /etc/csf/csf.logfiles. However, +# be aware that the more files lfd has to track, the greater the performance +# hit. Note: File globs are only evaluated when lfd is started +# +# Note: lfd builds the report continuously from lines logged after lfd has +# started, so any lines logged when lfd is not running will not be reported +# (e.g. during reboot). If lfd is restarted, then the report will include any +# lines logged during the previous lfd logging period that weren't reported +# +# 1 to enable, 0 to disable +LOGSCANNER = "1" + +# This is the interval each report will be sent based on the logalert.txt +# template +# +# The interval can be set to: +# "hourly" - sent on the hour +# "daily" - sent at midnight (00:00) +# "manual" - sent whenever "csf --logrun" is run. This allows for scheduling +# via cron job +LOGSCANNER_INTERVAL = "manual" + +# Report Style +# 1 = Separate chronological log lines per log file +# 2 = Simply chronological log of all lines +LOGSCANNER_STYLE = "1" + +# Send the report email even if no log lines reported +# 1 to enable, 0 to disable +LOGSCANNER_EMPTY = "1" + +# Maximum number of lines in the report before it is truncated. This is to +# prevent log lines flooding resulting in an excessively large report. This +# might need to be increased if you choose a daily report +LOGSCANNER_LINES = "10000" + +############################################################################### +# SECTION:Statistics Settings +############################################################################### +# Statistics +# +# Some of the Statistics output requires the gd graphics library and the +# GD::Graph perl module with all dependent modules to be installed for the UI +# for them to be displayed +# +# This option enabled statistical data gathering +ST_ENABLE = "1" + +# This option determines how many iptables log lines to store for reports +ST_IPTABLES = "150" + +# This option indicates whether rDNS and CC lookups are performed at the time +# the log line is recorded (this is not performed when viewing the reports) +# +# Warning: If DROP_IP_LOGGING is enabled and there are frequent iptables hits, +# then enabling this setting could cause serious performance problems +ST_LOOKUP = "1" + +# This option will gather basic system statstics. Through the UI it displays +# various graphs for disk, cpu, memory, network, etc usage over 4 intervals: +# . Hourly (per minute) +# . 24 hours (per minute) +# . 7 days (per minute averaged over an hour) +# . 30 days (per minute averaged over an hour) - user definable +# The data is stored in /var/lib/csf/stats/system and the option requires the +# perl GD::Graph module +# +# Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on +# those systems do not store the required information in /proc/diskstats +# On new installations or when enabling this option it will take time for these +# graphs to be populated +ST_SYSTEM = "1" + +# Set the maximum days to collect statistics for. The default is 30 days, the +# more data that is collected the longer it will take for each of the graphs to +# be generated +ST_SYSTEM_MAXDAYS = "30" + +# If ST_SYSTEM is enabled, then these options can collect MySQL statistical +# data. To use this option the server must have the perl modules DBI and +# DBD::mysql installed. +# +# Set this option to "0" to disable MySQL data collection +ST_MYSQL = "1" + +# The following options are for authentication for MySQL data collection. If +# the password is left blank and the user set to "root" then the procedure will +# look for authentication data in /root/.my.cnf. Otherwise, you will need to +# provide a MySQL username and password to collect the data. Any MySQL user +# account can be used +ST_MYSQL_USER = "root" +ST_MYSQL_PASS = "d8z4a80" +ST_MYSQL_HOST = "localhost" + +# If ST_SYSTEM is enabled, then this option can collect Apache statistical data +# The value for PT_APACHESTATUS must be correctly set +ST_APACHE = "0" + +# The following options measure disk write performance using dd (location set +# via the DD setting). It creates a 64MB file called /var/lib/dd_write_test and +# the statistics will plot the MB/s response time of the disk. As this is an IO +# intensive operation, it may not be prudent to run this test too often, so by +# default it is only run every 5 minutes and the result duplicated for each +# intervening minute for the statistics +# +# This is not necessrily a good measure of disk performance, primarily because +# the measurements are for relatively small amounts of data over a small amount +# of time. To properly test disk performance there are a variety of tools +# available that should be run for extended periods of time to obtain an +# accurate measurement. This metric is provided to give an idea of how the disk +# is performing over time +# +# Note: There is a 15 second timeout performing the check +# +# Set to 0 to disable, 1 to enable +ST_DISKW = "0" + +# The number of minutes that elapse between tests. Default is 5, minimum is 1. +ST_DISKW_FREQ = "15" + +# This is the command line passed to dd. If you are familiar with dd, or wish +# to move the output file (of) to a different disk, then you can alter this +# command. Take great care when making any changes to this command as it is +# very easy to overwrite a disk using dd if you make a mistake +ST_DISKW_DD = "if=/dev/zero of=/var/lib/csf/dd_test bs=1MB count=64 conv=fdatasync" + +############################################################################### +# SECTION:Docker Settings +############################################################################### +# This section provides the configuration of iptables rules to allow Docker +# containers to communicate through the host. If the generated rules do not +# work with your setup you will have to use a /etc/csf/csfpost.sh file and add +# your own iptables configuration instead +# +# 1 to enable, 0 to disable +DOCKER = "0" + +# The network device on the host +DOCKER_DEVICE = "docker0" + +# Docker container IPv4 range +DOCKER_NETWORK4 = "172.17.0.0/16" + +# Docker container IPv6 range. IPV6 must be enabled and the IPv6 nat table +# available (see IPv6 section). Leave blank to disable +DOCKER_NETWORK6 = "2001:db8:1::/64" + +############################################################################### +# SECTION:OS Specific Settings +############################################################################### +# Binary locations +IPTABLES = "/sbin/iptables" +IPTABLES_SAVE = "/sbin/iptables-save" +IPTABLES_RESTORE = "/sbin/iptables-restore" +IP6TABLES = "/sbin/ip6tables" +IP6TABLES_SAVE = "/sbin/ip6tables-save" +IP6TABLES_RESTORE = "/sbin/ip6tables-restore" +MODPROBE = "/sbin/modprobe" +IFCONFIG = "/sbin/ifconfig" +SENDMAIL = "/usr/sbin/sendmail" +PS = "/bin/ps" +VMSTAT = "/usr/bin/vmstat" +NETSTAT = "/bin/netstat" +LS = "/bin/ls" +MD5SUM = "/usr/bin/md5sum" +TAR = "/bin/tar" +CHATTR = "/usr/bin/chattr" +UNZIP = "/usr/bin/unzip" +GUNZIP = "/bin/gunzip" +DD = "/bin/dd" +TAIL = "/usr/bin/tail" +GREP = "/bin/grep" +ZGREP = "/usr/bin/zgrep" +IPSET = "/usr/sbin/ipset" +SYSTEMCTL = "/usr/bin/systemctl" +HOST = "/usr/bin/host" +IP = "/sbin/ip" +CURL = "/usr/bin/curl" +WGET = "/usr/bin/wget" + +# Log file locations +# +# File globbing is allowed for the following logs. However, be aware that the +# more files lfd has to track, the greater the performance hit +# +# Note: File globs are only evaluated when lfd is started +# +HTACCESS_LOG = "/var/log/nginx/error.log" +NGINX_LOG = "/var/log/nginx/*.access.log" +MODSEC_LOG = "" +SSHD_LOG = "/var/log/secure" +SU_LOG = "/var/log/secure" +SUDO_LOG = "/var/log/secure" +FTPD_LOG = "/var/log/messages" +SMTPAUTH_LOG = "/var/log/maillog" +POP3D_LOG = "/var/log/maillog" +IMAPD_LOG = "/var/log/maillog" +IPTABLES_LOG = "/var/log/messages" +SUHOSIN_LOG = "/var/log/messages" +BIND_LOG = "/var/log/named.log" +SYSLOG_LOG = "/var/log/messages" +WEBMIN_LOG = "/var/log/auth.log" + +CUSTOM1_LOG = "/var/log/maillog" +CUSTOM2_LOG = "/var/log/secure" +CUSTOM3_LOG = "/var/log/messages" +CUSTOM4_LOG = "/var/log/messages" +CUSTOM5_LOG = "/var/log/messages" +CUSTOM6_LOG = "/var/log/messages" +CUSTOM7_LOG = "/var/log/messages" +CUSTOM8_LOG = "/var/log/messages" +CUSTOM9_LOG = "/var/log/messages" + +# The following are comma separated lists used if LF_SELECT is enabled, +# otherwise they are not used. They are derived from the application returned +# from a regex match in /usr/local/csf/bin/regex.pm +# +# All ports default to tcp blocks. To specify udp or tcp use the format: +# port;protocol,port;protocol,... For example, "53;udp,53;tcp" +PORTS_pop3d = "110,995" +PORTS_imapd = "143,993" +PORTS_htpasswd = "80,443" +PORTS_mod_security = "80,443" +PORTS_mod_qos = "80,443" +PORTS_symlink = "80,443" +PORTS_suhosin = "80,443" +PORTS_cxs = "80,443" +PORTS_bind = "53" +PORTS_ftpd = "20,21" +PORTS_webmin = "10000" +PORTS_smtpauth = "25,26,465,587" +PORTS_eximsyntax = "25,26,465,587" +# This list is replaced, if present, by "Port" definitions in +# /etc/ssh/sshd_config +PORTS_sshd = "22,1907" + +# This configuration is for use with generic Linux servers, do not change the +# following setting: +GENERIC = "1" + +# For internal use only. You should not enable this option as it could cause +# instability in csf and lfd +DEBUG = "0" +############################################################################### diff --git a/csf/csf.fignore b/csf/csf.fignore index 3e73b3e..9db53b1 100644 --- a/csf/csf.fignore +++ b/csf/csf.fignore @@ -25,3 +25,4 @@ /tmp/\.horde /tmp/\.horde/.* /tmp/logcheck.* +/tmp/.vdserver diff --git a/csf/csf.pignore b/csf/csf.pignore index a0170a6..0148414 100644 --- a/csf/csf.pignore +++ b/csf/csf.pignore @@ -179,3 +179,4 @@ user:squid user:pydio exe:/home/pydio/cells + diff --git a/csf/imunify_allow.conf b/csf/imunify_allow.conf new file mode 100644 index 0000000..4bce8a0 --- /dev/null +++ b/csf/imunify_allow.conf @@ -0,0 +1,2 @@ +148.251.142.83;imunify360 server +69.175.3.10;files.imunify360.com server \ No newline at end of file diff --git a/group b/group index bc14d8b..0ca5cac 100644 --- a/group +++ b/group @@ -82,7 +82,7 @@ spamd:x:1005: sara:x:1006: www-data:x:1007: clamav:x:958: -ossec:x:957:ossecr,ossecm,ossece,nginx +ossec:x:957:ossecr,ossecm,ossece,nginx,ossec csf:x:1008: smiti:x:1009: stapusr:x:156: @@ -108,3 +108,6 @@ sftp:x:1023: toranon:x:955: privoxy:x:73: netdata:x:954: +_imunify:x:953: +linksafe:x:952: +imunify360-webshield:x:951: diff --git a/group- b/group- index 016466f..e3fc539 100644 --- a/group- +++ b/group- @@ -21,7 +21,7 @@ ftp:x:50: lock:x:54: audio:x:63: users:x:100: -nobody:x:65534: +nobody:x:65534:netdata dbus:x:81: utmp:x:22: utempter:x:35: @@ -108,3 +108,6 @@ sftp:x:1023: toranon:x:955: privoxy:x:73: netdata:x:954: +_imunify:x:953: +linksafe:x:952: +imunify360-webshield:x:951: diff --git a/gshadow b/gshadow index 0463c85..e9a4a0d 100644 --- a/gshadow +++ b/gshadow @@ -81,7 +81,7 @@ spamd:!:: sara:!:: www-data:!:: clamav:!:: -ossec:!::ossecr,ossecm,ossece,nginx +ossec:!::ossecr,ossecm,ossece,nginx,ossec csf:!:: smiti:!:: stapusr:!:: @@ -108,3 +108,6 @@ sftp:!:: toranon:!:: privoxy:!:: netdata:!:: +_imunify:!:: +linksafe:!:: +imunify360-webshield:!:: diff --git a/gshadow- b/gshadow- index bf9ff7f..2088548 100644 --- a/gshadow- +++ b/gshadow- @@ -21,7 +21,7 @@ ftp::: lock::: audio::: users::: -nobody::: +nobody:::netdata dbus:!:: utmp:!:: utempter:!:: @@ -108,3 +108,6 @@ sftp:!:: toranon:!:: privoxy:!:: netdata:!:: +_imunify:!:: +linksafe:!:: +imunify360-webshield:!:: diff --git a/imunify-auditd-log-reader/config.yaml b/imunify-auditd-log-reader/config.yaml new file mode 100644 index 0000000..f209a67 --- /dev/null +++ b/imunify-auditd-log-reader/config.yaml @@ -0,0 +1,4 @@ +logging: + trace_logging: false +statistics: + report_period: 3h diff --git a/imunify-realtime-av/config.yaml b/imunify-realtime-av/config.yaml new file mode 100644 index 0000000..8aad898 --- /dev/null +++ b/imunify-realtime-av/config.yaml @@ -0,0 +1,5 @@ +cleanup: + frequency: 60 + age_cutoff: 600 +statistics: + report_period: 3 diff --git a/imunify360-webshield/agent-proxies.conf b/imunify360-webshield/agent-proxies.conf new file mode 100644 index 0000000..1c1f51c --- /dev/null +++ b/imunify360-webshield/agent-proxies.conf @@ -0,0 +1,3 @@ +# This file initially empty and +# supposed to have ip addresses +# generated by im360 agent diff --git a/imunify360-webshield/blocked_country_codes.conf b/imunify360-webshield/blocked_country_codes.conf new file mode 100644 index 0000000..a5f36bb --- /dev/null +++ b/imunify360-webshield/blocked_country_codes.conf @@ -0,0 +1,3 @@ +# Place two-letter country codes here to block these countries at the +# webshield level. For instance, to block China, add +# CN 1; \ No newline at end of file diff --git a/imunify360-webshield/captcha.conf b/imunify360-webshield/captcha.conf new file mode 100644 index 0000000..49c548d --- /dev/null +++ b/imunify360-webshield/captcha.conf @@ -0,0 +1,4 @@ +map $cookie_locale$http_accept_language $captcha_lang { + default en; + include captcha/lang.conf; +} diff --git a/imunify360-webshield/captcha/lang.conf b/imunify360-webshield/captcha/lang.conf new file mode 100644 index 0000000..e6702f4 --- /dev/null +++ b/imunify360-webshield/captcha/lang.conf @@ -0,0 +1,23 @@ +"~^ar" ar; +"~^da" da; +"~^de" de; +"~^el" el; +"~^en" en; +"~^es" es; +"~^fa" fa; +"~^fr" fr; +"~^he" he; +"~^hu" hu; +"~^id" id; +"~^it" it; +"~^ms" ms; +"~^nl" nl; +"~^no" no; +"~^pl" pl; +"~^pt" pt; +"~^ro" ro; +"~^ru" ru; +"~^sv" sv; +"~^tr" tr; +"~^uk" uk; +"~^zh" zh; diff --git a/imunify360-webshield/common-proxies.conf b/imunify360-webshield/common-proxies.conf new file mode 100644 index 0000000..cf2c380 --- /dev/null +++ b/imunify360-webshield/common-proxies.conf @@ -0,0 +1,3 @@ +# This file initially empty and +# supposed to have ip addresses +# generated by compose-whitelist diff --git a/imunify360-webshield/country_ips.conf b/imunify360-webshield/country_ips.conf new file mode 100644 index 0000000..c650bb3 --- /dev/null +++ b/imunify360-webshield/country_ips.conf @@ -0,0 +1,2 @@ +# THIS FILE IS GENERATED AUTOMATICALLY +# BY IMUNIFY360-WEBSHIELD. DO NOT MODIFY IT diff --git a/imunify360-webshield/custom-blacklisted.conf b/imunify360-webshield/custom-blacklisted.conf new file mode 100644 index 0000000..e69de29 diff --git a/imunify360-webshield/custom-whitelisted.conf b/imunify360-webshield/custom-whitelisted.conf new file mode 100644 index 0000000..e69de29 diff --git a/imunify360-webshield/fastcgi.conf b/imunify360-webshield/fastcgi.conf new file mode 100644 index 0000000..091738c --- /dev/null +++ b/imunify360-webshield/fastcgi.conf @@ -0,0 +1,26 @@ + +fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; +fastcgi_param QUERY_STRING $query_string; +fastcgi_param REQUEST_METHOD $request_method; +fastcgi_param CONTENT_TYPE $content_type; +fastcgi_param CONTENT_LENGTH $content_length; + +fastcgi_param SCRIPT_NAME $fastcgi_script_name; +fastcgi_param REQUEST_URI $request_uri; +fastcgi_param DOCUMENT_URI $document_uri; +fastcgi_param DOCUMENT_ROOT $document_root; +fastcgi_param SERVER_PROTOCOL $server_protocol; +fastcgi_param REQUEST_SCHEME $scheme; +fastcgi_param HTTPS $https if_not_empty; + +fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + +fastcgi_param REMOTE_ADDR $remote_addr; +fastcgi_param REMOTE_PORT $remote_port; +fastcgi_param SERVER_ADDR $server_addr; +fastcgi_param SERVER_PORT $server_port; +fastcgi_param SERVER_NAME $server_name; + +# PHP only, required if PHP was built with --enable-force-cgi-redirect +fastcgi_param REDIRECT_STATUS 200; diff --git a/imunify360-webshield/fastcgi_params b/imunify360-webshield/fastcgi_params new file mode 100644 index 0000000..28decb9 --- /dev/null +++ b/imunify360-webshield/fastcgi_params @@ -0,0 +1,25 @@ + +fastcgi_param QUERY_STRING $query_string; +fastcgi_param REQUEST_METHOD $request_method; +fastcgi_param CONTENT_TYPE $content_type; +fastcgi_param CONTENT_LENGTH $content_length; + +fastcgi_param SCRIPT_NAME $fastcgi_script_name; +fastcgi_param REQUEST_URI $request_uri; +fastcgi_param DOCUMENT_URI $document_uri; +fastcgi_param DOCUMENT_ROOT $document_root; +fastcgi_param SERVER_PROTOCOL $server_protocol; +fastcgi_param REQUEST_SCHEME $scheme; +fastcgi_param HTTPS $https if_not_empty; + +fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + +fastcgi_param REMOTE_ADDR $remote_addr; +fastcgi_param REMOTE_PORT $remote_port; +fastcgi_param SERVER_ADDR $server_addr; +fastcgi_param SERVER_PORT $server_port; +fastcgi_param SERVER_NAME $server_name; + +# PHP only, required if PHP was built with --enable-force-cgi-redirect +fastcgi_param REDIRECT_STATUS 200; diff --git a/imunify360-webshield/invisible-captcha.conf b/imunify360-webshield/invisible-captcha.conf new file mode 100644 index 0000000..1b4d9ba --- /dev/null +++ b/imunify360-webshield/invisible-captcha.conf @@ -0,0 +1,16 @@ +# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # +# +# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +# DO NOT EDIT. AUTOMATICALLY GENERATED. +# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +# +# Direct modifications to this cfile WILL be lost upon subsequent +# regeneration of this configuration file. +# +# To have your modifications retained, you should use +# /etc/sysconfig/imunify360/imunify360.config.d +# via UI, CLI or manually. +# +# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # + +set $invisible_captcha off; diff --git a/imunify360-webshield/invisible-captcha.conf.tpl b/imunify360-webshield/invisible-captcha.conf.tpl new file mode 100644 index 0000000..d53983c --- /dev/null +++ b/imunify360-webshield/invisible-captcha.conf.tpl @@ -0,0 +1,16 @@ +# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # +# +# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +# DO NOT EDIT. AUTOMATICALLY GENERATED. +# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +# +# Direct modifications to this file WILL be lost upon subsequent +# regeneration of this configuration file. +# +# To have your modifications retained, you should use CLI command +# imunify360-agent features +# or activate/deactivate appropriate feature in UI. +# +# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # + +set $invisible_captcha {invisible_captcha_on_off}; diff --git a/imunify360-webshield/koi-utf b/imunify360-webshield/koi-utf new file mode 100644 index 0000000..e7974ff --- /dev/null +++ b/imunify360-webshield/koi-utf @@ -0,0 +1,109 @@ + +# This map is not a full koi8-r <> utf8 map: it does not contain +# box-drawing and some other characters. Besides this map contains +# several koi8-u and Byelorussian letters which are not in koi8-r. +# If you need a full and standard map, use contrib/unicode2nginx/koi-utf +# map instead. + +charset_map koi8-r utf-8 { + + 80 E282AC ; # euro + + 95 E280A2 ; # bullet + + 9A C2A0 ; #   + + 9E C2B7 ; # · + + A3 D191 ; # small yo + A4 D194 ; # small Ukrainian ye + + A6 D196 ; # small Ukrainian i + A7 D197 ; # small Ukrainian yi + + AD D291 ; # small Ukrainian soft g + AE D19E ; # small Byelorussian short u + + B0 C2B0 ; # ° + + B3 D081 ; # capital YO + B4 D084 ; # capital Ukrainian YE + + B6 D086 ; # capital Ukrainian I + B7 D087 ; # capital Ukrainian YI + + B9 E28496 ; # numero sign + + BD D290 ; # capital Ukrainian soft G + BE D18E ; # capital Byelorussian short U + + BF C2A9 ; # (C) + + C0 D18E ; # small yu + C1 D0B0 ; # small a + C2 D0B1 ; # small b + C3 D186 ; # small ts + C4 D0B4 ; # small d + C5 D0B5 ; # small ye + C6 D184 ; # small f + C7 D0B3 ; # small g + C8 D185 ; # small kh + C9 D0B8 ; # small i + CA D0B9 ; # small j + CB D0BA ; # small k + CC D0BB ; # small l + CD D0BC ; # small m + CE D0BD ; # small n + CF D0BE ; # small o + + D0 D0BF ; # small p + D1 D18F ; # small ya + D2 D180 ; # small r + D3 D181 ; # small s + D4 D182 ; # small t + D5 D183 ; # small u + D6 D0B6 ; # small zh + D7 D0B2 ; # small v + D8 D18C ; # small soft sign + D9 D18B ; # small y + DA D0B7 ; # small z + DB D188 ; # small sh + DC D18D ; # small e + DD D189 ; # small shch + DE D187 ; # small ch + DF D18A ; # small hard sign + + E0 D0AE ; # capital YU + E1 D090 ; # capital A + E2 D091 ; # capital B + E3 D0A6 ; # capital TS + E4 D094 ; # capital D + E5 D095 ; # capital YE + E6 D0A4 ; # capital F + E7 D093 ; # capital G + E8 D0A5 ; # capital KH + E9 D098 ; # capital I + EA D099 ; # capital J + EB D09A ; # capital K + EC D09B ; # capital L + ED D09C ; # capital M + EE D09D ; # capital N + EF D09E ; # capital O + + F0 D09F ; # capital P + F1 D0AF ; # capital YA + F2 D0A0 ; # capital R + F3 D0A1 ; # capital S + F4 D0A2 ; # capital T + F5 D0A3 ; # capital U + F6 D096 ; # capital ZH + F7 D092 ; # capital V + F8 D0AC ; # capital soft sign + F9 D0AB ; # capital Y + FA D097 ; # capital Z + FB D0A8 ; # capital SH + FC D0AD ; # capital E + FD D0A9 ; # capital SHCH + FE D0A7 ; # capital CH + FF D0AA ; # capital hard sign +} diff --git a/imunify360-webshield/koi-win b/imunify360-webshield/koi-win new file mode 100644 index 0000000..72afabe --- /dev/null +++ b/imunify360-webshield/koi-win @@ -0,0 +1,103 @@ + +charset_map koi8-r windows-1251 { + + 80 88 ; # euro + + 95 95 ; # bullet + + 9A A0 ; #   + + 9E B7 ; # · + + A3 B8 ; # small yo + A4 BA ; # small Ukrainian ye + + A6 B3 ; # small Ukrainian i + A7 BF ; # small Ukrainian yi + + AD B4 ; # small Ukrainian soft g + AE A2 ; # small Byelorussian short u + + B0 B0 ; # ° + + B3 A8 ; # capital YO + B4 AA ; # capital Ukrainian YE + + B6 B2 ; # capital Ukrainian I + B7 AF ; # capital Ukrainian YI + + B9 B9 ; # numero sign + + BD A5 ; # capital Ukrainian soft G + BE A1 ; # capital Byelorussian short U + + BF A9 ; # (C) + + C0 FE ; # small yu + C1 E0 ; # small a + C2 E1 ; # small b + C3 F6 ; # small ts + C4 E4 ; # small d + C5 E5 ; # small ye + C6 F4 ; # small f + C7 E3 ; # small g + C8 F5 ; # small kh + C9 E8 ; # small i + CA E9 ; # small j + CB EA ; # small k + CC EB ; # small l + CD EC ; # small m + CE ED ; # small n + CF EE ; # small o + + D0 EF ; # small p + D1 FF ; # small ya + D2 F0 ; # small r + D3 F1 ; # small s + D4 F2 ; # small t + D5 F3 ; # small u + D6 E6 ; # small zh + D7 E2 ; # small v + D8 FC ; # small soft sign + D9 FB ; # small y + DA E7 ; # small z + DB F8 ; # small sh + DC FD ; # small e + DD F9 ; # small shch + DE F7 ; # small ch + DF FA ; # small hard sign + + E0 DE ; # capital YU + E1 C0 ; # capital A + E2 C1 ; # capital B + E3 D6 ; # capital TS + E4 C4 ; # capital D + E5 C5 ; # capital YE + E6 D4 ; # capital F + E7 C3 ; # capital G + E8 D5 ; # capital KH + E9 C8 ; # capital I + EA C9 ; # capital J + EB CA ; # capital K + EC CB ; # capital L + ED CC ; # capital M + EE CD ; # capital N + EF CE ; # capital O + + F0 CF ; # capital P + F1 DF ; # capital YA + F2 D0 ; # capital R + F3 D1 ; # capital S + F4 D2 ; # capital T + F5 D3 ; # capital U + F6 C6 ; # capital ZH + F7 C2 ; # capital V + F8 DC ; # capital soft sign + F9 DB ; # capital Y + FA C7 ; # capital Z + FB D8 ; # capital SH + FC DD ; # capital E + FD D9 ; # capital SHCH + FE D7 ; # capital CH + FF DA ; # capital hard sign +} diff --git a/imunify360-webshield/mime.types b/imunify360-webshield/mime.types new file mode 100644 index 0000000..2961256 --- /dev/null +++ b/imunify360-webshield/mime.types @@ -0,0 +1,97 @@ + +types { + text/html html htm shtml; + text/css css; + text/xml xml; + image/gif gif; + image/jpeg jpeg jpg; + application/javascript js; + application/atom+xml atom; + application/rss+xml rss; + + text/mathml mml; + text/plain txt; + text/vnd.sun.j2me.app-descriptor jad; + text/vnd.wap.wml wml; + text/x-component htc; + + image/png png; + image/svg+xml svg svgz; + image/tiff tif tiff; + image/vnd.wap.wbmp wbmp; + image/webp webp; + image/x-icon ico; + image/x-jng jng; + image/x-ms-bmp bmp; + + font/woff woff; + font/woff2 woff2; + + application/java-archive jar war ear; + application/json json; + application/mac-binhex40 hqx; + application/msword doc; + application/pdf pdf; + application/postscript ps eps ai; + application/rtf rtf; + application/vnd.apple.mpegurl m3u8; + application/vnd.google-earth.kml+xml kml; + application/vnd.google-earth.kmz kmz; + application/vnd.ms-excel xls; + application/vnd.ms-fontobject eot; + application/vnd.ms-powerpoint ppt; + application/vnd.oasis.opendocument.graphics odg; + application/vnd.oasis.opendocument.presentation odp; + application/vnd.oasis.opendocument.spreadsheet ods; + application/vnd.oasis.opendocument.text odt; + application/vnd.openxmlformats-officedocument.presentationml.presentation + pptx; + application/vnd.openxmlformats-officedocument.spreadsheetml.sheet + xlsx; + application/vnd.openxmlformats-officedocument.wordprocessingml.document + docx; + application/vnd.wap.wmlc wmlc; + application/x-7z-compressed 7z; + application/x-cocoa cco; + application/x-java-archive-diff jardiff; + application/x-java-jnlp-file jnlp; + application/x-makeself run; + application/x-perl pl pm; + application/x-pilot prc pdb; + application/x-rar-compressed rar; + application/x-redhat-package-manager rpm; + application/x-sea sea; + application/x-shockwave-flash swf; + application/x-stuffit sit; + application/x-tcl tcl tk; + application/x-x509-ca-cert der pem crt; + application/x-xpinstall xpi; + application/xhtml+xml xhtml; + application/xspf+xml xspf; + application/zip zip; + + application/octet-stream bin exe dll; + application/octet-stream deb; + application/octet-stream dmg; + application/octet-stream iso img; + application/octet-stream msi msp msm; + + audio/midi mid midi kar; + audio/mpeg mp3; + audio/ogg ogg; + audio/x-m4a m4a; + audio/x-realaudio ra; + + video/3gpp 3gpp 3gp; + video/mp2t ts; + video/mp4 mp4; + video/mpeg mpeg mpg; + video/quicktime mov; + video/webm webm; + video/x-flv flv; + video/x-m4v m4v; + video/x-mng mng; + video/x-ms-asf asx asf; + video/x-ms-wmv wmv; + video/x-msvideo avi; +} diff --git a/imunify360-webshield/ports.conf b/imunify360-webshield/ports.conf new file mode 100644 index 0000000..419057f --- /dev/null +++ b/imunify360-webshield/ports.conf @@ -0,0 +1,4 @@ +# IPv4 +listen *:52224; +# IPv6 +listen [::]:52224; diff --git a/imunify360-webshield/presets.cfg b/imunify360-webshield/presets.cfg new file mode 100644 index 0000000..07d0646 --- /dev/null +++ b/imunify360-webshield/presets.cfg @@ -0,0 +1,4 @@ +# Global webshiled presets to be taken into account +# when config is being generated + +# proxy_protocol = no \ No newline at end of file diff --git a/imunify360-webshield/scgi_params b/imunify360-webshield/scgi_params new file mode 100644 index 0000000..6d4ce4f --- /dev/null +++ b/imunify360-webshield/scgi_params @@ -0,0 +1,17 @@ + +scgi_param REQUEST_METHOD $request_method; +scgi_param REQUEST_URI $request_uri; +scgi_param QUERY_STRING $query_string; +scgi_param CONTENT_TYPE $content_type; + +scgi_param DOCUMENT_URI $document_uri; +scgi_param DOCUMENT_ROOT $document_root; +scgi_param SCGI 1; +scgi_param SERVER_PROTOCOL $server_protocol; +scgi_param REQUEST_SCHEME $scheme; +scgi_param HTTPS $https if_not_empty; + +scgi_param REMOTE_ADDR $remote_addr; +scgi_param REMOTE_PORT $remote_port; +scgi_param SERVER_PORT $server_port; +scgi_param SERVER_NAME $server_name; diff --git a/imunify360-webshield/splashscreen-antibot.conf b/imunify360-webshield/splashscreen-antibot.conf new file mode 100644 index 0000000..0d4388b --- /dev/null +++ b/imunify360-webshield/splashscreen-antibot.conf @@ -0,0 +1 @@ +splashscreen_antibot off; \ No newline at end of file diff --git a/imunify360-webshield/splashscreen.conf b/imunify360-webshield/splashscreen.conf new file mode 100644 index 0000000..35cf383 --- /dev/null +++ b/imunify360-webshield/splashscreen.conf @@ -0,0 +1,4 @@ +map $http_accept_language $splashscreen_lang { + default en; + include splashscreen/lang.conf; +} \ No newline at end of file diff --git a/imunify360-webshield/splashscreen/lang.conf b/imunify360-webshield/splashscreen/lang.conf new file mode 100644 index 0000000..01fa00d --- /dev/null +++ b/imunify360-webshield/splashscreen/lang.conf @@ -0,0 +1,3 @@ +"~^en" en; +"~^ru" ru; +"~^uk" uk; diff --git a/imunify360-webshield/ssl.conf b/imunify360-webshield/ssl.conf new file mode 100644 index 0000000..68a80d5 --- /dev/null +++ b/imunify360-webshield/ssl.conf @@ -0,0 +1,10 @@ +# When enabled, WebShield will search for the first certificate +# in cache and return it for the requests without SNI. +# When disabled, default self-signed server certficate will be used. +lua_enable_ws_sslcache_search on; + +# Default server certificate that will be used for requests without SNI. +# It is self-signed and is generated on installation/upgrade for 365 days +# so please note that it will expire after a year since the installation/upgrade. +ssl_certificate ssl_certs/dummy.pem; +ssl_certificate_key ssl_certs/dummy.pem; \ No newline at end of file diff --git a/imunify360-webshield/ssl_certs/dummy.pem b/imunify360-webshield/ssl_certs/dummy.pem new file mode 100644 index 0000000..a14506c --- /dev/null +++ b/imunify360-webshield/ssl_certs/dummy.pem @@ -0,0 +1,82 @@ +-----BEGIN PRIVATE KEY----- +MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC0zUnzvkF4U8er +7CaOaKzT3owW2NOLeh6vsn/WmDDysgtixgZ5iPFT+H/NPna4PsbuVVA5CS9AbNxr +nvWtkGfMZJDjny/+6PYoZEYoSK9sUKpHAD2HlSACbOxfmBtDMZqcjzdZ8+Io4/qP +3S8ap1rx7LfVqxR6BY1Rkp0FRmVJBviS0GYRl8u5ZQcRfDeNiRlF0AFZlyGRKqfR +GozrwWMZq5FyrBP+dExYNcfj52WzZMG/GQByDdH6yD6BV1OrG3hl9lCdij7foUo2 +3YzbkFHFiESoPjdJyqlxjARcuFZpsGcdLDkrw7seGiLEmyyqeMDWjBVjTvmy2KwJ +A8hGSx4m85vzrJ5k1ST3nCQB/x/n3+wYyMu61mB5r/Z5sedYSQQm6lhm3+w0A8kh +iNhSrJLhCC1qQqHZINauRWXEA7XEFjpPt0kzUsic67u3SdwsgS8GrcY1Eet5h8gJ +zsEKe0MV7QZ2qVfdhwY2SISnodj2FJGobGAxMVNTMgV10eA7teU8Tn+oWKuR4pb6 +BFbzp45lYTjIaFGN6uLdlGHBHc2PocOrHl8f+hew2IJRasa9Ae3GQFgmhCZdQVEK +YJMP/pgiuiK6WDg7ZmjpyvWQnXotPzKlu8VtcxnDaBA2JQIbvCTrzikeyILHI3V4 +UF+icPaOUjz1CVHnuxbuWaB4efqI0QIDAQABAoICABniAaI5LFozdDQyfFqKtaMn +CtsCc1ZWRypT3WU1KFy2DFc5jhe7+QBSZMlXFdvOcOARqohfvjn026E0gms0bwed +pfhQA6j0ZLjnkfuWXDafXaEIccaFHK38NeKBffWilkWvYvcnqMq9yFLsESA5sRVN +FAwsj6PgQ5jX6k6lAz7vFoq99r6yAmIqClcAd1t1sv6Bho/yyMVlW9zddisR5kP4 +gbvu0nXs5DkEifcgWzjRRcM7qwqo29SQ8hHGFJ48MoI2PtguwE13Y45zLQUJpgsn +NNz4+yU/M/6jUsSLRyOeM0TD3fNb89+dUjjfFgfZfZG5QB6VYb2uswIfXn5hppEj +TUS4XsY862pn/J+QQaOQ0ullhuu0EUz1xEHRkodpq8/cTFjhCCWeBQsuO9tJO2HY +lOUF8p5ajAhbrLYKpXATktiM+Gc+4gwfQT1OBX+5QpmhiqaMJA02aJ3GLggmVh0Q +6lwcqGT42Wat82BKKjHm433NeJrEBim2K6AoJWHkv2Y+lkFVl2O5IMH8a8C9APoj +SziV/wNfozNNlsmE+f705KAoCjAIswEkJ2I1pmm0pq3Hx6hhk1viYUaYoyr2Lbm1 +QBr5U4xOv5uzT2Bi6ts9euua29MnQ1YA9G/SU+jLMyfEiqTvqpMi2upko2++SvsB +eITfoDrAqPNtHM+wAN25AoIBAQDf1rLCdbytO10FcHKT+5TSS70X9djn4fpZFqrm +HsSQf3G9GdZ7DAeROoeQNWt68uzRdh4JkiSBRRqarqngF14blaIiLM4x1kDDUa/g +xf+DFMur/JGYUfGXgXImxRaC0M7F6IY1qzfNrS5oKJSgSFPykghpcaHDrSVt2R0Z +Hj8vulrDEGFDqtof+DPnmP5VWRaO3K3kDddL2O0o5oKuTTVhE6l/ZlU6v+AyG0Qc +9Tfqk/rzaTp9ytY022baVNZ6O5AdvKmbnFYSXbmsWkvYScKydJDL1mQPrJkDZGYD +X1PgcEJ0Y2sKpVEnzBKZ9mPcG6MEUHwk0j3uOB9ebcDk1DJjAoIBAQDOx5l+7/5x +ilapgDg9+kD6IYaErXcbKWQGINCn+XJ7CUb93qXbpva+Vx95ug4TC8KNvTPOU7/V +Xd80C5aVCOeBvWVjUI9/Go10uVy6RMmmV0Xc8YdZOMqdHJ8Ac58nlwWHSh1yS9h/ +RbmVGkDOFv09TSdhOOG05UWa/S/aYxVn2C0uwb0uafPUnbTjxn6a6Bxxnr1v63yX +w9efUqqM3+k1ZwOfPD3fE3CgDsxVmvcCfliTkMelVaX/mnLZFzdaGor/q9uLQtfl +NYYnzMY1W0BbIbOj7f/c8jvLQW4LKMfF/Lm7EF8lSyE/VI61bvbTbh7c+K/l1TkH +b1B68jDEHyQ7AoIBAH8yyF6M/W0LwO6oWdQSMR3YAFqvUFVlKxiZMwCWF2ltorqt +Bh7iVSKIOiUO1kcF6OGW17bkn23+UQH5o3s+jDHstDfrcjkL4b2cm++FVI+ur5bK +bgo69qj73Fx/vy0Tb40zd6Dj7VApy6dQ+DSlJV9A8RrKgfxqVky4BjsR3yJGKfGT +S1JispVcPFKttEnX2GPSr9Zary/g09RcOYLHSUAjJjzJcEF0a/jNWcWC7AWXlhHg +iGaXb2aWDzqe30qSsnDTlyZgjuDc9fglT9hXAhba+rV63V2y3Tj6QqZD86wk3v64 +yElCbH3LD/8B7vlTky2Odx2Ng7ftmJXWlLj0hLUCggEBAJ5I7jfcEILraZFQpDzV +Lx4JwcYYXv88vONwBSk/6qFCJcS5xW6RrXlgiaiNgq6TpvcG6Pw84bC7rdtSL4+g +BE8tIspWZbHfKn86UUAI3e9mCQWrIXdr4LVJrnETELamhUXdtxLB+lTak8gOE6Nu +t6VQRR/IAgaOJq0QuKvMgxs9wMB075Ly6gJMQqbFUC7WFMfowoxEz9gAwzKjfghe +ck89rukanSYA5IqxKTsyZ3jSLI2xGxJ1sJ8rpFSH0Ag6H0K9VE6S+V7sjOg0eVlo +o6fe8Xs/+UcxahIZ4NnL+riUz7vhOWP70dR/rso1yd1pA1kVSNh/UqtdS1cBw9Ct +IfcCggEBAM9C185mVzmk69MnD76OjLcGaiy7OdyY0xK5odTaPa1s68bQPwpfL1IR +dbZ/WVMgNhduExvx7RONp+kvwFTxQH+OtFvceHCWc5SqQTp3aNWRoMN12gY9ZaDs +KG+1z8aTXfZyMPIgXIEYfatndjgXr25xcSYdNhGkU5x3NKw24Zzian+49KWw3zQb +bApd1bg48k8mehwUxxBWNMiTF2ie3lZj2IGEd45n19Da0s+maGWFGfj/ifFEVQ5x +C2zhMpkjvtJHtrkj6vk2NoPqyR6tL3N4iZyPmcywGFVCXsI8G2GIFEylAd+ZRATl +IrvSc7HIaJlEC4aimNEOx7DpS4Hta8A= +-----END PRIVATE KEY----- +-----BEGIN CERTIFICATE----- +MIIFDTCCAvWgAwIBAgIUHDCsyauLfsZpqTtczBwPUSsbQgswDQYJKoZIhvcNAQEL +BQAwFjEUMBIGA1UEAwwLemlyYS44OTgucm8wHhcNMjMwMjA5MTI0OTE5WhcNMjQw +MjA5MTI0OTE5WjAWMRQwEgYDVQQDDAt6aXJhLjg5OC5ybzCCAiIwDQYJKoZIhvcN +AQEBBQADggIPADCCAgoCggIBALTNSfO+QXhTx6vsJo5orNPejBbY04t6Hq+yf9aY +MPKyC2LGBnmI8VP4f80+drg+xu5VUDkJL0Bs3Gue9a2QZ8xkkOOfL/7o9ihkRihI +r2xQqkcAPYeVIAJs7F+YG0MxmpyPN1nz4ijj+o/dLxqnWvHst9WrFHoFjVGSnQVG +ZUkG+JLQZhGXy7llBxF8N42JGUXQAVmXIZEqp9EajOvBYxmrkXKsE/50TFg1x+Pn +ZbNkwb8ZAHIN0frIPoFXU6sbeGX2UJ2KPt+hSjbdjNuQUcWIRKg+N0nKqXGMBFy4 +VmmwZx0sOSvDux4aIsSbLKp4wNaMFWNO+bLYrAkDyEZLHibzm/OsnmTVJPecJAH/ +H+ff7BjIy7rWYHmv9nmx51hJBCbqWGbf7DQDySGI2FKskuEILWpCodkg1q5FZcQD +tcQWOk+3STNSyJzru7dJ3CyBLwatxjUR63mHyAnOwQp7QxXtBnapV92HBjZIhKeh +2PYUkahsYDExU1MyBXXR4Du15TxOf6hYq5HilvoEVvOnjmVhOMhoUY3q4t2UYcEd +zY+hw6seXx/6F7DYglFqxr0B7cZAWCaEJl1BUQpgkw/+mCK6IrpYODtmaOnK9ZCd +ei0/MqW7xW1zGcNoEDYlAhu8JOvOKR7IgscjdXhQX6Jw9o5SPPUJUee7Fu5ZoHh5 ++ojRAgMBAAGjUzBRMB0GA1UdDgQWBBRostY0giKZrdn0QZR/W2bUS22jgTAfBgNV +HSMEGDAWgBRostY0giKZrdn0QZR/W2bUS22jgTAPBgNVHRMBAf8EBTADAQH/MA0G +CSqGSIb3DQEBCwUAA4ICAQBYrYi3P9wOx769eHdavaFCzXg/g1qbcNI2GbNj96Qk ++LKm/4/NUCUEngcMg0RsCrBfj00uDVhhBN/QmwOjmj5ZkKAd829WFY5RFUDrsNXP +pjfAMsSSJ7KXq7DyxCZeKx6jhpqq9uOxCS9jee9UNFpVOCpZXlNxIQD+pDXEKKh2 +vrMF+xZi9Ao6rng/lMSRaaqqn3KOokn7FK7bPhqNbBrIZMpfEA11ZsS0moH4py3Q +emmKcNZv2d27CAm4X6K7tSmuH6wV/jjcQ6SxNUs6G6YXj1Eg5T9JcFpHDxtttfls +ftPzzVqt8rLm6/kAdQiNgFLq1dTKY30LhlYVGPOEst/1+ckAZxL6KOPSmsVWFPNG +4wuuE2IW/7HhmR9KQFjdVwnxg/p11/S9tw5/Ua0Or8BqwBZtzLWkRvXrcoLRotAW +SBLU1H3SGwdkLnDofzia2YFwH0k+IqSATAdmYt4kYqkmP+OeSw/YGVZPO1jurRVp +4/ncZ8ChUqz9qc5bpeAEiYU42jc2PeGhbQez67Mfo2VOj1rYXh7EfVdSoZdAGSr+ +4FUFBv/H09KCenXD0U+ADvLW2G9XPxMlvMni+uUETES/AU/ehDP/qrwO6m6IPwbG +w60iRxQzzLBghKuXBdfz8zlmcHNKc55CXGvQNkUVSsqwPnTQeQlZFb2PHY1GyzOq +WQ== +-----END CERTIFICATE----- diff --git a/imunify360-webshield/ssl_ports.conf b/imunify360-webshield/ssl_ports.conf new file mode 100644 index 0000000..5ae5528 --- /dev/null +++ b/imunify360-webshield/ssl_ports.conf @@ -0,0 +1,4 @@ +# IPv4 +listen *:52223 ssl http2; +# IPv6 +listen [::]:52223 ssl http2; diff --git a/imunify360-webshield/unified_access_logger.conf b/imunify360-webshield/unified_access_logger.conf new file mode 100644 index 0000000..9e81b20 --- /dev/null +++ b/imunify360-webshield/unified_access_logger.conf @@ -0,0 +1,2 @@ +log_format ualog '$wsuserip|$webshield_verdict|$time_iso8601'; +access_log syslog:server=unix:/var/run/imunify360-webshield-unified_access_logger.socket,tag=ualog ualog; \ No newline at end of file diff --git a/imunify360-webshield/uwsgi_params b/imunify360-webshield/uwsgi_params new file mode 100644 index 0000000..09c732c --- /dev/null +++ b/imunify360-webshield/uwsgi_params @@ -0,0 +1,17 @@ + +uwsgi_param QUERY_STRING $query_string; +uwsgi_param REQUEST_METHOD $request_method; +uwsgi_param CONTENT_TYPE $content_type; +uwsgi_param CONTENT_LENGTH $content_length; + +uwsgi_param REQUEST_URI $request_uri; +uwsgi_param PATH_INFO $document_uri; +uwsgi_param DOCUMENT_ROOT $document_root; +uwsgi_param SERVER_PROTOCOL $server_protocol; +uwsgi_param REQUEST_SCHEME $scheme; +uwsgi_param HTTPS $https if_not_empty; + +uwsgi_param REMOTE_ADDR $remote_addr; +uwsgi_param REMOTE_PORT $remote_port; +uwsgi_param SERVER_PORT $server_port; +uwsgi_param SERVER_NAME $server_name; diff --git a/imunify360-webshield/virtserver.conf b/imunify360-webshield/virtserver.conf new file mode 100644 index 0000000..be8d212 --- /dev/null +++ b/imunify360-webshield/virtserver.conf @@ -0,0 +1,110 @@ +lua_ssl_verify_depth 2; +lua_ssl_trusted_certificate /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem; + +ssl_certificate_by_lua_file lua/ssl.lua; + +set $proxy_part ''; +if ($append_port) { + set $proxy_part :$proxy_port; +} + +set $trust_ezoic 0; + +rewrite_by_lua_file lua/accesscheck.lua; + +location = /selfcheck { + allow 127.0.0.1; + allow ::1; + deny all; + content_by_lua_block { + ngx.status = ngx.HTTP_OK + ngx.header.content_type = "text/html; charset=utf-8" + local message = os.time(os.date("!*t")) + ngx.say(message) + return ngx.exit(ngx.HTTP_OK) + } +} + +location = /captchacheck { + proxy_set_header Host $host$proxy_part; + proxy_set_header X-Real-IP $wsuserip; + proxy_bind $bind_target; + proxy_hide_header Upgrade; + proxy_http_version 1.1; + proxy_set_header Connection ""; + + if ($static_whitelisted) { + expires off; + proxy_pass $scheme://catchall; + } + + access_by_lua_file lua/captchacheck.lua; +} + +location = /ungraylistcheck { + content_by_lua_file lua/ungraylistcheck.lua; +} + +location @to_static { + root html/captcha; + try_files $uri /a9bc224bd710f56d27affffddc764239b58c3faa0/shield.png; +} + +location / { + access_by_lua_file lua/reqrouter.lua; +} + +location @to_backend { + access_by_lua_block { + local xff = ngx.var.http_x_forwarded_for + if not xff or ngx.var.remote_proxy == "0" then + ngx.req.set_header("X-Forwarded-For", ngx.var.wsuserip) + else + ngx.req.set_header("X-Forwarded-For", xff .. ", " .. ngx.var.remote_addr) + end + } + proxy_set_header Host $host$proxy_part; + proxy_set_header X-Real-IP $wsuserip; + proxy_set_header X-Remote-IP $remote_addr; + proxy_hide_header Upgrade; + expires off; + proxy_http_version 1.1; + proxy_set_header Connection ""; + include /etc/imunify360-webshield/webshield-backend.conf.d/*.conf; + proxy_bind $bind_target; + proxy_pass $scheme://catchall; +} + +location @to_captcha { + include /etc/imunify360-webshield/invisible-captcha.conf; + root html/captcha; + default_type text/html; + add_header Last-Modified $date_gmt; + add_header Cache-Control 'private, no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0, s-maxage=0'; + add_header cf-edge-cache no-cache; + add_header Expires 'Thu, 01 Jan 1970 00:00:01 GMT'; + if_modified_since off; + expires off; + etag off; + keepalive_timeout 0; + include /etc/imunify360-webshield/webshield-captcha.conf.d/*.conf; + content_by_lua_file lua/captcha.lua; +} + +location @to_splashscreen { + root html/splashscreen; + default_type text/html; + add_header Last-Modified $date_gmt; + add_header Cache-Control 'private, no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0, s-maxage=0'; + add_header cf-edge-cache no-cache; + if_modified_since off; + expires off; + etag off; + keepalive_timeout 0; + include /etc/imunify360-webshield/webshield-splashscreen.conf.d/*.conf; + content_by_lua_file lua/splashscreen.lua; +} + +location = /z0f76a1d14fd21a8fb5fd0d03e0fdc3d3cedae52f { + content_by_lua_file lua/wsidchk.lua; +} diff --git a/imunify360-webshield/webshield-http.conf.d/resolver.conf b/imunify360-webshield/webshield-http.conf.d/resolver.conf new file mode 100644 index 0000000..4e99841 --- /dev/null +++ b/imunify360-webshield/webshield-http.conf.d/resolver.conf @@ -0,0 +1 @@ +resolver 192.168.1.2 ipv6=off; diff --git a/imunify360-webshield/webshield-http.conf.d/static-whitelist.conf b/imunify360-webshield/webshield-http.conf.d/static-whitelist.conf new file mode 100644 index 0000000..0737254 --- /dev/null +++ b/imunify360-webshield/webshield-http.conf.d/static-whitelist.conf @@ -0,0 +1,2 @@ +geo $static_whitelisted { +} diff --git a/imunify360-webshield/webshield-http.conf.d/wscheckdata.conf b/imunify360-webshield/webshield-http.conf.d/wscheckdata.conf new file mode 100644 index 0000000..8bbfd71 --- /dev/null +++ b/imunify360-webshield/webshield-http.conf.d/wscheckdata.conf @@ -0,0 +1,4 @@ + +wscheck_untrusted_key Bk0yx39MjA2UJFFeCRQi41BMuCwQOAye; + +wscheck_trusted_key qVZpo0JQopkDzvGdFaWABhUAeXEg7FfJ; diff --git a/imunify360-webshield/webshield.conf b/imunify360-webshield/webshield.conf new file mode 100644 index 0000000..e591e37 --- /dev/null +++ b/imunify360-webshield/webshield.conf @@ -0,0 +1,159 @@ + +user imunify360-webshield; +worker_processes 1; + +error_log /var/log/imunify360-webshield/error.log warn; +pid /var/run/imunify360-webshield.pid; +worker_rlimit_nofile 65536; + +events { + worker_connections 65536; + multi_accept on; +} + + +http { + variables_hash_max_size 2048; + map_hash_max_size 4096; + map_hash_bucket_size 128; + + # Make sure all clients' headers are passed + ignore_invalid_headers off; + + # Allow upload of files of unlimited size + client_max_body_size 0; + + include /etc/imunify360-webshield/mime.types; + default_type application/octet-stream; + + # XFF:"ip" is to match nginx captcha access.log separately from + # other access logs + log_format main '$wsuserip - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent $host "$http_referer" ' + '"$http_user_agent" WL:"$domain_whitelisted" "$http_x_requested_with" ' + 'XFF:"$http_x_forwarded_for" CAPTCHA:"$wscaptcha" PEER:$remote_addr'; + + access_log /var/log/imunify360-webshield/access.log main; + + include /etc/imunify360-webshield/unified_access_logger.conf; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 0; + + #gzip on; + + proxy_read_timeout 180s; + proxy_send_timeout 180s; + proxy_buffering off; + proxy_buffers 8 128k; + proxy_buffer_size 128k; + client_body_buffer_size 128k; + + http2_max_field_size 8k; + + include webshield-http.conf.d/*.conf; + + include /etc/imunify360-webshield/wscheck.conf; + include /etc/imunify360-webshield/captcha.conf; + include /etc/imunify360-webshield/splashscreen.conf; + include /etc/imunify360-webshield/splashscreen-antibot.conf; + + geo $remote_proxy { + default 0; + include /etc/imunify360-webshield/agent-proxies.conf; + include /etc/imunify360-webshield/common-proxies.conf; + } + + map $host $domain_whitelisted { + default 0; + include /etc/imunify360-webshield/whitelisted-domains.conf; + } + + map $server_addr $bind_target { + default 127.0.0.1; + "~^[a-fA-F0-9:\[\]]+$" ::1; + } + + geo $wsuserip $remote_country_code { + default none; + include /etc/imunify360-webshield/country_ips.conf; + } + + map $remote_country_code $remote_blocked_by_country { + default 0; + include /etc/imunify360-webshield/blocked_country_codes.conf; + } + + geo $wsuserip $custom_whitelisted { + default 0; + include /etc/imunify360-webshield/custom-whitelisted.conf; + } + + geo $wsuserip $custom_blacklisted { + default 0; + include /etc/imunify360-webshield/custom-blacklisted.conf; + } + + lua_shared_dict domains_ips 1m; + lua_shared_dict splashscreen_sessions 1m; + lua_shared_dict captchapassed_clients 1m; + lua_shared_dict notfound_ssl_domains 1m; + lua_shared_dict ipset_check_cacher 1m; + init_by_lua_file lua/init.lua; + + map $server_port $proxy_port { + default 80; + 52223 443; + 52224 80; + 52227 2087; + 52228 2086; + 52229 2083; + 52230 2082; + 52231 2096; + 52232 2095; + 52233 8443; + 52234 8880; + 52235 2222; + } + + map $proxy_port $append_port { + default 1; + 80 0; + 443 0; + } + + upstream catchall { + server 127.0.0.1; + balancer_by_lua_block { + local balancer = require "ngx.balancer" + local host = ngx.var.server_addr + if host ~= nil and host:match(":") then + host = "[" .. host .. "]" + end + local port = ngx.var.proxy_port + local ok, err = balancer.set_current_peer(host, port) + if not ok then + ngx.log(ngx.ERR, "failed to set the current peer: ", err) + return ngx.exit(ngx.ERROR) + end + } + keepalive 32; + } + + server_tokens off; + more_set_headers "Server: imunify360-webshield/1.18"; + + server { + server_name _; + ssl_protocols TLSv1.2 TLSv1.3; + proxy_ssl_protocols TLSv1.2 TLSv1.3; + + include /etc/imunify360-webshield/ports.conf; + include /etc/imunify360-webshield/ssl_ports.conf; + include /etc/imunify360-webshield/ssl.conf; + include /etc/imunify360-webshield/webshield-server.conf.d/*.conf; + include /etc/imunify360-webshield/virtserver.conf; + } +} diff --git a/imunify360-webshield/whitelisted-domains.conf b/imunify360-webshield/whitelisted-domains.conf new file mode 100644 index 0000000..1e1e5a6 --- /dev/null +++ b/imunify360-webshield/whitelisted-domains.conf @@ -0,0 +1,6 @@ +# White list for domains to disable the captcha check +# See http://nginx.org/ru/docs/http/ngx_http_map_module.html for syntax +# Use 1 to enable whitelisting and 0 to disable + +# example.org 1; # enable whitelisting +# www.example.org 0; # temporary disable whitelisting diff --git a/imunify360-webshield/win-utf b/imunify360-webshield/win-utf new file mode 100644 index 0000000..ed8bc00 --- /dev/null +++ b/imunify360-webshield/win-utf @@ -0,0 +1,126 @@ + +# This map is not a full windows-1251 <> utf8 map: it does not +# contain Serbian and Macedonian letters. If you need a full map, +# use contrib/unicode2nginx/win-utf map instead. + +charset_map windows-1251 utf-8 { + + 82 E2809A ; # single low-9 quotation mark + + 84 E2809E ; # double low-9 quotation mark + 85 E280A6 ; # ellipsis + 86 E280A0 ; # dagger + 87 E280A1 ; # double dagger + 88 E282AC ; # euro + 89 E280B0 ; # per mille + + 91 E28098 ; # left single quotation mark + 92 E28099 ; # right single quotation mark + 93 E2809C ; # left double quotation mark + 94 E2809D ; # right double quotation mark + 95 E280A2 ; # bullet + 96 E28093 ; # en dash + 97 E28094 ; # em dash + + 99 E284A2 ; # trade mark sign + + A0 C2A0 ; #   + A1 D18E ; # capital Byelorussian short U + A2 D19E ; # small Byelorussian short u + + A4 C2A4 ; # currency sign + A5 D290 ; # capital Ukrainian soft G + A6 C2A6 ; # borken bar + A7 C2A7 ; # section sign + A8 D081 ; # capital YO + A9 C2A9 ; # (C) + AA D084 ; # capital Ukrainian YE + AB C2AB ; # left-pointing double angle quotation mark + AC C2AC ; # not sign + AD C2AD ; # soft hypen + AE C2AE ; # (R) + AF D087 ; # capital Ukrainian YI + + B0 C2B0 ; # ° + B1 C2B1 ; # plus-minus sign + B2 D086 ; # capital Ukrainian I + B3 D196 ; # small Ukrainian i + B4 D291 ; # small Ukrainian soft g + B5 C2B5 ; # micro sign + B6 C2B6 ; # pilcrow sign + B7 C2B7 ; # · + B8 D191 ; # small yo + B9 E28496 ; # numero sign + BA D194 ; # small Ukrainian ye + BB C2BB ; # right-pointing double angle quotation mark + + BF D197 ; # small Ukrainian yi + + C0 D090 ; # capital A + C1 D091 ; # capital B + C2 D092 ; # capital V + C3 D093 ; # capital G + C4 D094 ; # capital D + C5 D095 ; # capital YE + C6 D096 ; # capital ZH + C7 D097 ; # capital Z + C8 D098 ; # capital I + C9 D099 ; # capital J + CA D09A ; # capital K + CB D09B ; # capital L + CC D09C ; # capital M + CD D09D ; # capital N + CE D09E ; # capital O + CF D09F ; # capital P + + D0 D0A0 ; # capital R + D1 D0A1 ; # capital S + D2 D0A2 ; # capital T + D3 D0A3 ; # capital U + D4 D0A4 ; # capital F + D5 D0A5 ; # capital KH + D6 D0A6 ; # capital TS + D7 D0A7 ; # capital CH + D8 D0A8 ; # capital SH + D9 D0A9 ; # capital SHCH + DA D0AA ; # capital hard sign + DB D0AB ; # capital Y + DC D0AC ; # capital soft sign + DD D0AD ; # capital E + DE D0AE ; # capital YU + DF D0AF ; # capital YA + + E0 D0B0 ; # small a + E1 D0B1 ; # small b + E2 D0B2 ; # small v + E3 D0B3 ; # small g + E4 D0B4 ; # small d + E5 D0B5 ; # small ye + E6 D0B6 ; # small zh + E7 D0B7 ; # small z + E8 D0B8 ; # small i + E9 D0B9 ; # small j + EA D0BA ; # small k + EB D0BB ; # small l + EC D0BC ; # small m + ED D0BD ; # small n + EE D0BE ; # small o + EF D0BF ; # small p + + F0 D180 ; # small r + F1 D181 ; # small s + F2 D182 ; # small t + F3 D183 ; # small u + F4 D184 ; # small f + F5 D185 ; # small kh + F6 D186 ; # small ts + F7 D187 ; # small ch + F8 D188 ; # small sh + F9 D189 ; # small shch + FA D18A ; # small hard sign + FB D18B ; # small y + FC D18C ; # small soft sign + FD D18D ; # small e + FE D18E ; # small yu + FF D18F ; # small ya +} diff --git a/imunify360-webshield/wscheck.conf b/imunify360-webshield/wscheck.conf new file mode 100644 index 0000000..3113a95 --- /dev/null +++ b/imunify360-webshield/wscheck.conf @@ -0,0 +1,14 @@ +# enable captcha check for CloudFlare (on|off, default is off) +cloudflare_captcha off; + +# Use splashscreen as captcha for Chinese customers +wscheck_splashscreen_as_captcha off; + +# Use these values for User ID hash +wscheck_session_key $remote_addr$http_user_agent; + +# Search client address in the following places +wscheck_ipsearch cloudflare|$http_cf_connecting_ip cloudflare|$http_true_client_ip !cloudflare|$http_x_forwarded_for; + +# Use this variable to check if client is a proxy +wscheck_proxy_var_name remote_proxy; diff --git a/imunify360/unified-access-logger.conf b/imunify360/unified-access-logger.conf new file mode 100644 index 0000000..2546394 --- /dev/null +++ b/imunify360/unified-access-logger.conf @@ -0,0 +1,57 @@ +# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # +# +# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +# DO NOT EDIT. INTERNAL USAGE ONLY. +# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +# +# Direct modifications to this file prohibited. +# +# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # +groups: + ipv4: 36005 + ipv6: 36005 +rules: +# im360-whitelist: +# id: 1 +# name: Accepted packets from whitelisted IP via iptables rules +# severity: 3 + im360-blacklist: + id: 2 + name: Dropped packets from blacklisted IP via iptables rules + severity: 6 + im360-graylist: + id: 3 + name: Dropped packets on non-web port from graylisted IP via iptables rules + severity: 6 + im360-blocked-by-port: + id: 4 + name: Dropped packets for blocked port via iptables rules + severity: 6 + im360-whitelisted-country: + id: 5 + name: Accepted packets from whitelisted country via iptables rules + severity: 3 + im360-blacklisted-country: + id: 6 + name: Dropped packets from blacklisted country via iptables rules + severity: 6 + webshield_blacklisted: + id: 7 + name: Dropped request from blacklisted IP via WebShield + severity: 6 + webshield_blacklisted_country: + id: 8 + severity: 6 + name: Dropped request from blacklisted country via WebShield + webshield_graylisted_blocked: + id: 9 + severity: 6 + name: Dropped non-text/html request from graylisted IP via WebShield + im360-outgoing-blocked: + id: 10 + severity: 6 + name: Outgoing connection blocked + webshield_splashscreen: + id: 11 + severity: 6 + name: Shown splashscreen as request response for graylisted IP via WebShield diff --git a/ld.so.conf.d/alt-hyperscan.conf b/ld.so.conf.d/alt-hyperscan.conf new file mode 100644 index 0000000..09532a3 --- /dev/null +++ b/ld.so.conf.d/alt-hyperscan.conf @@ -0,0 +1 @@ +/opt/alt/hyperscan54///lib64/ diff --git a/logrotate.d/cloudlinux-backup-utils b/logrotate.d/cloudlinux-backup-utils new file mode 100644 index 0000000..5964860 --- /dev/null +++ b/logrotate.d/cloudlinux-backup-utils @@ -0,0 +1,11 @@ +/var/log/cloudlinux-backup-mysql-freeze.log +/var/log/cloudlinux-backup-utils-cron.log +/var/log/cloudlinux-backup-utils.log +{ + rotate 3 + maxsize 50M + compress + delaycompress + create 640 root root + missingok +} diff --git a/logrotate.d/imunify360 b/logrotate.d/imunify360 new file mode 100644 index 0000000..6fe025e --- /dev/null +++ b/logrotate.d/imunify360 @@ -0,0 +1,17 @@ +/var/log/imunify360/captcha.log { + # Keep 3 lotated files before removal + rotate 3 + maxsize 50M + hourly + compress + delaycompress + + nocreate + missingok + + postrotate + if systemctl status imunify360-captcha > /dev/null ; then \ + systemctl restart imunify360-captcha > /dev/null; \ + fi; + endscript +} diff --git a/logrotate.d/imunify360-pam b/logrotate.d/imunify360-pam new file mode 100644 index 0000000..0639b72 --- /dev/null +++ b/logrotate.d/imunify360-pam @@ -0,0 +1,9 @@ +/var/log/imunify360/pam.log { + missingok + notifempty + size 30k + create 0600 root root + postrotate + systemctl restart imunify360-pam > /dev/null + endscript +} diff --git a/logrotate.d/imunify360-unified-access-logger b/logrotate.d/imunify360-unified-access-logger new file mode 100644 index 0000000..8712453 --- /dev/null +++ b/logrotate.d/imunify360-unified-access-logger @@ -0,0 +1,9 @@ +/var/log/imunify360/imunify360-unified-access-logger/log.rotate { + missingok + notifempty + size 30k + create 0600 root root + postrotate + service imunify360-unified-access-logger restart + endscript +} diff --git a/logrotate.d/imunify360-wafd b/logrotate.d/imunify360-wafd new file mode 100644 index 0000000..57c48d1 --- /dev/null +++ b/logrotate.d/imunify360-wafd @@ -0,0 +1,9 @@ +/var/log/imunify360/wafd.log { + missingok + notifempty + size 30k + create 0600 root root + postrotate + service imunify360-wafd restart + endscript +} diff --git a/logrotate.d/imunify360-webshield b/logrotate.d/imunify360-webshield new file mode 100644 index 0000000..4f17c08 --- /dev/null +++ b/logrotate.d/imunify360-webshield @@ -0,0 +1,15 @@ +/var/log/imunify360-webshield/*.log { + daily + missingok + rotate 52 + compress + delaycompress + notifempty + create 640 imunify360-webshield adm + sharedscripts + postrotate + if [ -f /var/run/imunify360-webshield.pid ]; then + kill -USR1 `cat /var/run/imunify360-webshield.pid` + fi + endscript +} diff --git a/logrotate.d/ossec-hids b/logrotate.d/ossec-hids new file mode 100644 index 0000000..82b28c5 --- /dev/null +++ b/logrotate.d/ossec-hids @@ -0,0 +1,22 @@ +/var/ossec/logs/active-responses.log { + missingok + notifempty + copytruncate + maxsize 100M + rotate 7 + create 0664 ossec ossec + su ossec ossec +} + +/var/ossec/logs/ossec.log { + missingok + notifempty + copytruncate + maxsize 100M + rotate 7 + create 0664 ossec ossec + su ossec ossec + postrotate + /var/ossec/bin/ossec-control restart > /dev/null 2>/dev/null + endscript +} diff --git a/odbc.ini b/odbc.ini new file mode 100644 index 0000000..e69de29 diff --git a/odbcinst.ini b/odbcinst.ini new file mode 100644 index 0000000..a99515c --- /dev/null +++ b/odbcinst.ini @@ -0,0 +1,42 @@ +# Example driver definitions + +# Driver from the postgresql-odbc package +# Setup from the unixODBC package +[PostgreSQL] +Description = ODBC for PostgreSQL +Driver = /usr/lib/psqlodbcw.so +Setup = /usr/lib/libodbcpsqlS.so +Driver64 = /usr/lib64/psqlodbcw.so +Setup64 = /usr/lib64/libodbcpsqlS.so +FileUsage = 1 + + +# Driver from the mysql-connector-odbc package +# Setup from the unixODBC package +[MySQL] +Description = ODBC for MySQL +Driver = /usr/lib/libmyodbc5.so +Setup = /usr/lib/libodbcmyS.so +Driver64 = /usr/lib64/libmyodbc5.so +Setup64 = /usr/lib64/libodbcmyS.so +FileUsage = 1 + + +# Driver from the freetds-libs package +# Setup from the unixODBC package +[FreeTDS] +Description = Free Sybase & MS SQL Driver +Driver = /usr/lib/libtdsodbc.so +Setup = /usr/lib/libtdsS.so +Driver64 = /usr/lib64/libtdsodbc.so +Setup64 = /usr/lib64/libtdsS.so +Port = 1433 + + +# Driver from the mariadb-connector-odbc package +# Setup from the unixODBC package +[MariaDB] +Description = ODBC for MariaDB +Driver = /usr/lib/libmaodbc.so +Driver64 = /usr/lib64/libmaodbc.so +FileUsage = 1 diff --git a/ossec-init.conf b/ossec-init.conf new file mode 100644 index 0000000..1a5d993 --- /dev/null +++ b/ossec-init.conf @@ -0,0 +1,4 @@ +DIRECTORY="/var/ossec" +VERSION="3.1.0" +DATE="Wed Dec 28 14:52:06 UTC 2022" +TYPE="server" diff --git a/pam.d/dovecot_imunify b/pam.d/dovecot_imunify new file mode 100644 index 0000000..2821cca --- /dev/null +++ b/pam.d/dovecot_imunify @@ -0,0 +1,7 @@ +#%PAM-1.0 +auth required pam_nologin.so +auth required pam_imunify.so check_only +auth sufficient pam_imunify.so +auth required pam_deny.so + +account required pam_permit.so \ No newline at end of file diff --git a/pam.d/dovecot_imunify_domainowner b/pam.d/dovecot_imunify_domainowner new file mode 100644 index 0000000..1ef5912 --- /dev/null +++ b/pam.d/dovecot_imunify_domainowner @@ -0,0 +1,7 @@ +#%PAM-1.0 +auth required pam_nologin.so +auth required pam_imunify.so check_only +auth sufficient pam_imunify.so domain_owner_mail_pass +auth required pam_deny.so + +account required pam_permit.so \ No newline at end of file diff --git a/pam.d/proftpd_imunify b/pam.d/proftpd_imunify new file mode 100644 index 0000000..93e87ee --- /dev/null +++ b/pam.d/proftpd_imunify @@ -0,0 +1,11 @@ +#%PAM-1.0 +auth required pam_nologin.so +auth required pam_listfile.so item=user sense=deny file=/etc/proftpd/passwd.vhosts onerr=succeed +auth required pam_imunify.so check_only +auth optional pam_unix.so nullok try_first_pass +auth sufficient pam_imunify.so cpanel +auth required pam_deny.so + +account required pam_permit.so + +session required pam_permit.so diff --git a/pam_imunify/i360.ini b/pam_imunify/i360.ini new file mode 100644 index 0000000..1a1ffa3 --- /dev/null +++ b/pam_imunify/i360.ini @@ -0,0 +1,47 @@ +# Path to database +mod_db_path=/opt/i360_pam_imunify/db + +# Path to UNIX socket +socket=/opt/i360_pam_imunify/pam_imunify360.sock +# Wait for service to start up to 120 seconds +socket_readycheck_timeout=120 + +# Log file path +# log=/var/log/imunify360/pam.log + +# Sentry error reporting (must be an url or "off") +sentry=https://sentry.cloudlinux.com/sentry/i360-pam-imunify/ + +# RBL domains (separated with comma) and timeout (in seconds) +rbl=net-brute.rbl.imunify.com. +RBL_timeout=5 +RBL_nameserver=ns1-rbl.imunify.com:53 + +USER_LOCK_TIMEOUT=5 +USER_LOCK_ATTEMPTS=10 +USER_LOCK_MINUTES=5 + +# for how long username / ip should timeout in minutes +USER_IP_LOCK_TIMEOUT=5 +# of attempts after which username / ip should be locked +USER_IP_LOCK_ATTEMPTS=10 +# period during which attempts should be accounted for +USER_IP_LOCK_MINUTES=5 +# for how long username / ip pair shall be kept in whitelist after succesful login +# (default 20160 is 14 days) +USER_IP_LOCK_AUTOWHITELIST_TIMEOUT=20160 + +# for how long IP should timeout in minutes +IP_LOCK_TIMEOUT=5 +# of attempts after which IP should be locked +IP_LOCK_ATTEMPTS=100 +# period during which attempts should be accounted for +IP_LOCK_MINUTES=5 + +whitelisted_ips_path=/var/i360_pam_imunify/wl/ips.txt + +# whitelisted_ips_include is comma separated path list +# where user ip list path goes the last +whitelisted_ips_include=/etc/apache2/conf.d/modsec_vendor_configs/imunify360_full_apache/rbl_whitelist,/etc/httpd/conf/modsecurity.d/rules/custom/rbl_whitelist,/etc/apache2/conf.d/modsec_vendor_configs/imunify360-full-litespeed/rbl_whitelist + +whitelisted_users_path=/var/i360_pam_imunify/users/users.txt diff --git a/passwd b/passwd index e4fe3e8..4f863b4 100644 --- a/passwd +++ b/passwd @@ -79,3 +79,6 @@ sftp:x:1023:1023::/home/sftp:/bin/bash toranon:x:959:955:Tor anonymizing user:/var/lib/tor:/sbin/nologin privoxy:x:73:73::/etc/privoxy:/sbin/nologin netdata:x:958:954:Netdata pseudo user:/usr/share/netdata:/sbin/nologin +_imunify:x:957:953::/home/_imunify:/bin/false +imunify360-webshield:x:956:951:imunify360-webshield user:/var/cache/imunify360-webshield:/sbin/nologin +ossec:x:955:957::/var/ossec:/sbin/nologin diff --git a/passwd- b/passwd- index d31ae1f..49eafd5 100644 --- a/passwd- +++ b/passwd- @@ -78,3 +78,6 @@ pydio:x:1021:1022::/home/pydio:/bin/bash sftp:x:1023:1023::/home/sftp:/bin/bash toranon:x:959:955:Tor anonymizing user:/var/lib/tor:/sbin/nologin privoxy:x:73:73::/etc/privoxy:/sbin/nologin +netdata:x:958:954:Netdata pseudo user:/usr/share/netdata:/sbin/nologin +_imunify:x:957:953::/home/_imunify:/bin/false +imunify360-webshield:x:956:951:imunify360-webshield user:/var/cache/imunify360-webshield:/sbin/nologin diff --git a/shadow b/shadow index f0ed75b..b708121 100644 --- a/shadow +++ b/shadow @@ -79,3 +79,6 @@ sftp:!!:19193:0:99999:7:30:: toranon:!!:19312:::::: privoxy:!!:19312:::::: netdata:!!:19381:::::: +_imunify:!!:19397:::::: +imunify360-webshield:!!:19397:::::: +ossec:!!:19397:::::: diff --git a/shadow- b/shadow- index d0cb711..307b465 100644 --- a/shadow- +++ b/shadow- @@ -78,3 +78,6 @@ pydio:!!:19102:0:99999:7:30:: sftp:!!:19193:0:99999:7:30:: toranon:!!:19312:::::: privoxy:!!:19312:::::: +netdata:!!:19381:::::: +_imunify:!!:19397:::::: +imunify360-webshield:!!:19397:::::: diff --git a/sysconfig/aibolit-resident b/sysconfig/aibolit-resident new file mode 100644 index 0000000..a979001 --- /dev/null +++ b/sysconfig/aibolit-resident @@ -0,0 +1 @@ +ARCHIVE_SCAN="--scan-archive" diff --git a/sysconfig/imunify360/.imunify360.backup_config b/sysconfig/imunify360/.imunify360.backup_config new file mode 100644 index 0000000..0d51b6d --- /dev/null +++ b/sysconfig/imunify360/.imunify360.backup_config @@ -0,0 +1,18 @@ +# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # +# +# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +# DO NOT EDIT. AUTOMATICALLY GENERATED. +# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +# +# Direct modifications to this file WILL be lost upon subsequent +# regeneration of this configuration file. +# +# To have your modifications retained, you should use CLI command +# imunify360-agent backup-systems +# or activate/deactivate appropriate feature in UI. +# +# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # + +BACKUP_SYSTEM: + backup_system: null + enabled: false diff --git a/sysconfig/imunify360/custom_billing.config b/sysconfig/imunify360/custom_billing.config new file mode 100644 index 0000000..2a747a0 --- /dev/null +++ b/sysconfig/imunify360/custom_billing.config @@ -0,0 +1,4 @@ +CUSTOM_BILLING: + upgrade_url: null + billing_notifications: true + ip_license: true diff --git a/sysconfig/imunify360/imunify360-merged.config b/sysconfig/imunify360/imunify360-merged.config new file mode 100644 index 0000000..7b7f464 --- /dev/null +++ b/sysconfig/imunify360/imunify360-merged.config @@ -0,0 +1,194 @@ +############################################################################ +# DO NOT MODIFY THIS FILE!!! # +# USE /etc/sysconfig/imunify360/imunify360.config.d/ TO OVERRIDE DEFAULTS # +############################################################################ + +ADMIN_CONTACTS: + emails: [] + enable_icontact_notifications: true +AUTO_WHITELIST: + after_unblock_timeout: 1440 + timeout: 1440 +BACKUP_RESTORE: + cl_backup_allowed: true + cl_on_premise_backup_allowed: false + max_days_in_backup: 90 +BLOCKED_PORTS: + default_mode: allowed +CAPTCHA: + cert_refresh_timeout: 3600 +CAPTCHA_DOS: + enabled: true + max_count: 100 + time_frame: 21600 + timeout: 864000 +CSF_INTEGRATION: + catch_lfd_events: false +DOS: + default_limit: 250 + enabled: true + interval: 30 + port_limits: {} +ERROR_REPORTING: + enable: true +FIREWALL: + TCP_IN_IPv4: + - '20' + - '21' + - '22' + - '25' + - '53' + - '80' + - '110' + - '443' + - '465' + - '587' + - '993' + - '995' + TCP_OUT_IPv4: + - '20' + - '21' + - '22' + - '25' + - '53' + - '80' + - '110' + - '113' + - '443' + - '587' + - '993' + - '995' + UDP_IN_IPv4: + - '20' + - '21' + - '53' + - '443' + UDP_OUT_IPv4: + - '20' + - '21' + - '53' + - '113' + - '123' + internal_use_remote_iplist: false + port_blocking_mode: ALLOW +INCIDENT_LOGGING: + limit: 100000 + min_log_level: 4 + num_days: 100 + ui_autorefresh_timeout: 10 +KERNELCARE: + edf: false +LOGGER: + backup_count: 5 + max_log_file_size: 62914560 + syscall_monitor: false +MALWARE_CLEANUP: + keep_original_files_days: 14 + trim_file_instead_of_removal: true +MALWARE_DATABASE_SCAN: + enable: false +MALWARE_SCANNING: + cloud_assisted_scan: true + crontabs: false + default_action: cleanup + detect_elf: true + enable_scan_cpanel: true + enable_scan_inotify: true + enable_scan_modsec: true + enable_scan_pure_ftpd: true + hyperscan: false + max_cloudscan_size_to_scan: 10485760 + max_mrs_upload_file: 10485760 + max_signature_size_to_scan: 1048576 + notify_on_detect: false + optimize_realtime_scan: true + rapid_scan: true + rapid_scan_rescan_unchanging_files_frequency: null + scan_modified_files: null + sends_file_for_analysis: true + try_restore_from_backup_first: false +MALWARE_SCAN_INTENSITY: + cpu: 2 + io: 2 + ram: 2048 + user_scan_cpu: 2 + user_scan_io: 2 + user_scan_ram: 1024 +MALWARE_SCAN_SCHEDULE: + day_of_month: 1 + day_of_week: 0 + hour: 3 + interval: week +MOD_SEC: + app_specific_ruleset: true + cms_account_compromise_prevention: false + prev_settings: '' + ruleset: FULL +MOD_SEC_BLOCK_BY_CUSTOM_RULE: + 33332: + check_period: 120 + max_incidents: 10 + 33339: + check_period: 120 + max_incidents: 10 +MOD_SEC_BLOCK_BY_SEVERITY: + check_period: 120 + denied_num_limit: 2 + enable: true + max_incidents: 2 + severity_limit: 2 +NETWORK_INTERFACE: + eth6_device: null + eth_device: null + eth_device_skip: [] +OSSEC: + active_response: false +PAM: + enable: true + exim_dovecot_native: false + exim_dovecot_protection: true + ftp_protection: false +PERMISSIONS: + advisor: true + allow_malware_scan: false + support_form: true + upgrade_button: true + user_ignore_list: false + user_override_malware_actions: false + user_override_proactive_defense: false +PROACTIVE_DEFENCE: + blamer: true + mode: LOG + php_immunity: false +RESOURCE_MANAGEMENT: + cpu_limit: 2 + io_limit: 2 + ram_limit: 500 +SECURE_SITE: + enable: false + purchase_page_url: https://secure.site +SEND_ADDITIONAL_DATA: + enable: true +SMTP_BLOCKING: + allow_groups: + - mail + allow_local: false + allow_users: [] + enable: false + ports: + - 25 + - 587 + - 465 + redirect: false +STOP_MANAGING: + modsec_directives: false +WEBSHIELD: + captcha_secret_key: '' + captcha_site_key: '' + enable: true + invisible_captcha: false + known_proxies_support: true + splash_screen: true +WEB_SERVICES: + http_ports: [] + https_ports: [] diff --git a/sysconfig/imunify360/imunify360.config b/sysconfig/imunify360/imunify360.config new file mode 100644 index 0000000..0967ef4 --- /dev/null +++ b/sysconfig/imunify360/imunify360.config @@ -0,0 +1 @@ +{} diff --git a/sysconfig/imunify360/imunify360.config.d/10_on_first_install.config b/sysconfig/imunify360/imunify360.config.d/10_on_first_install.config new file mode 100644 index 0000000..b019de2 --- /dev/null +++ b/sysconfig/imunify360/imunify360.config.d/10_on_first_install.config @@ -0,0 +1,22 @@ +# Here's config values that should override imunify360 +# default settings for the first install +# +# (the intended priority is greater than the values in the agent code +# but less than any user(local) settings) +# +# DO NOT EDIT THE FILE, THE CHANGES WILL BE OVERWRITTEN +# +# to override it, put settings into a lexicographically greater file +# e.g., put 50-local-overrides.config file in +# /etc/sysconfig/imunify360/imunify360.config.d/ dir, see +# https://docs.imunify360.com/features/#overridable-config +# +PROACTIVE_DEFENCE: + php_immunity: True +LOGGER: + syscall_monitor: true +MALWARE_SCANNING: + enable_scan_cpanel: true + hyperscan: true +WEBSHIELD: + splash_screen: true diff --git a/sysconfig/imunify360/imunify360.config.d/90-local.config b/sysconfig/imunify360/imunify360.config.d/90-local.config new file mode 120000 index 0000000..244745a --- /dev/null +++ b/sysconfig/imunify360/imunify360.config.d/90-local.config @@ -0,0 +1 @@ +../imunify360.config \ No newline at end of file diff --git a/sysconfig/imunify360/imunify360.config.defaults.example b/sysconfig/imunify360/imunify360.config.defaults.example new file mode 100644 index 0000000..f5ec47b --- /dev/null +++ b/sysconfig/imunify360/imunify360.config.defaults.example @@ -0,0 +1,196 @@ +############################################################################ +# DO NOT MODIFY THIS FILE!!! # +# USE /etc/sysconfig/imunify360/imunify360.config.d/ TO OVERRIDE DEFAULTS # +# This is an example of default values only # +# Changing this file will have no effect # +############################################################################ + +ADMIN_CONTACTS: + emails: [] + enable_icontact_notifications: true +AUTO_WHITELIST: + after_unblock_timeout: 1440 + timeout: 1440 +BACKUP_RESTORE: + cl_backup_allowed: true + cl_on_premise_backup_allowed: false + max_days_in_backup: 90 +BLOCKED_PORTS: + default_mode: allowed +CAPTCHA: + cert_refresh_timeout: 3600 +CAPTCHA_DOS: + enabled: true + max_count: 100 + time_frame: 21600 + timeout: 864000 +CSF_INTEGRATION: + catch_lfd_events: false +DOS: + default_limit: 250 + enabled: true + interval: 30 + port_limits: {} +ERROR_REPORTING: + enable: true +FIREWALL: + TCP_IN_IPv4: + - '20' + - '21' + - '22' + - '25' + - '53' + - '80' + - '110' + - '443' + - '465' + - '587' + - '993' + - '995' + TCP_OUT_IPv4: + - '20' + - '21' + - '22' + - '25' + - '53' + - '80' + - '110' + - '113' + - '443' + - '587' + - '993' + - '995' + UDP_IN_IPv4: + - '20' + - '21' + - '53' + - '443' + UDP_OUT_IPv4: + - '20' + - '21' + - '53' + - '113' + - '123' + internal_use_remote_iplist: false + port_blocking_mode: ALLOW +INCIDENT_LOGGING: + limit: 100000 + min_log_level: 4 + num_days: 100 + ui_autorefresh_timeout: 10 +KERNELCARE: + edf: false +LOGGER: + backup_count: 5 + max_log_file_size: 62914560 + syscall_monitor: false +MALWARE_CLEANUP: + keep_original_files_days: 14 + trim_file_instead_of_removal: true +MALWARE_DATABASE_SCAN: + enable: false +MALWARE_SCANNING: + cloud_assisted_scan: true + crontabs: false + default_action: cleanup + detect_elf: true + enable_scan_cpanel: true + enable_scan_inotify: true + enable_scan_modsec: true + enable_scan_pure_ftpd: true + hyperscan: false + max_cloudscan_size_to_scan: 10485760 + max_mrs_upload_file: 10485760 + max_signature_size_to_scan: 1048576 + notify_on_detect: false + optimize_realtime_scan: true + rapid_scan: true + rapid_scan_rescan_unchanging_files_frequency: null + scan_modified_files: null + sends_file_for_analysis: true + try_restore_from_backup_first: false +MALWARE_SCAN_INTENSITY: + cpu: 2 + io: 2 + ram: 2048 + user_scan_cpu: 2 + user_scan_io: 2 + user_scan_ram: 1024 +MALWARE_SCAN_SCHEDULE: + day_of_month: 1 + day_of_week: 0 + hour: 3 + interval: week +MOD_SEC: + app_specific_ruleset: true + cms_account_compromise_prevention: false + prev_settings: '' + ruleset: FULL +MOD_SEC_BLOCK_BY_CUSTOM_RULE: + 33332: + check_period: 120 + max_incidents: 10 + 33339: + check_period: 120 + max_incidents: 10 +MOD_SEC_BLOCK_BY_SEVERITY: + check_period: 120 + denied_num_limit: 2 + enable: true + max_incidents: 2 + severity_limit: 2 +NETWORK_INTERFACE: + eth6_device: null + eth_device: null + eth_device_skip: [] +OSSEC: + active_response: false +PAM: + enable: true + exim_dovecot_native: false + exim_dovecot_protection: true + ftp_protection: false +PERMISSIONS: + advisor: true + allow_malware_scan: false + support_form: true + upgrade_button: true + user_ignore_list: false + user_override_malware_actions: false + user_override_proactive_defense: false +PROACTIVE_DEFENCE: + blamer: true + mode: LOG + php_immunity: false +RESOURCE_MANAGEMENT: + cpu_limit: 2 + io_limit: 2 + ram_limit: 500 +SECURE_SITE: + enable: false + purchase_page_url: https://secure.site +SEND_ADDITIONAL_DATA: + enable: true +SMTP_BLOCKING: + allow_groups: + - mail + allow_local: false + allow_users: [] + enable: false + ports: + - 25 + - 587 + - 465 + redirect: false +STOP_MANAGING: + modsec_directives: false +WEBSHIELD: + captcha_secret_key: '' + captcha_site_key: '' + enable: true + invisible_captcha: false + known_proxies_support: true + splash_screen: true +WEB_SERVICES: + http_ports: [] + https_ports: [] diff --git a/sysconfig/imunify360/malware-filters-admin-conf/ignored.txt b/sysconfig/imunify360/malware-filters-admin-conf/ignored.txt new file mode 100644 index 0000000..c73b537 --- /dev/null +++ b/sysconfig/imunify360/malware-filters-admin-conf/ignored.txt @@ -0,0 +1,18 @@ +# IMPORTANT: after making changes to this file, perform: +# +# imunify360-agent malware rebuild patterns +# +# This file contains additional regular expression patterns specifying what +# filesystem paths should not be monitored by inotify/ fanotify realtime +# scanner. +# Patterns can be absolute: +# /another/folder +# or relative to basedirs supplied by hosting control panels: +# +[^/]+/www/\.cache +# This relative pattern will expand to ^/home/[^/]+/www/\.cache for cPanel, for +# example. +# +# All patterns listed here have higher priority than stock watched and ignored +# lists supplied with Imunify360. +# +# Custom ignore patterns have higher priority than custom watched patterns. diff --git a/sysconfig/imunify360/malware-filters-admin-conf/watched.txt b/sysconfig/imunify360/malware-filters-admin-conf/watched.txt new file mode 100644 index 0000000..417e94c --- /dev/null +++ b/sysconfig/imunify360/malware-filters-admin-conf/watched.txt @@ -0,0 +1,14 @@ +# IMPORTANT: after making changes to this file, perform: +# +# imunify360-agent malware rebuild patterns +# +# This file contains additional shell-like glob patterns specifying what file +# system directories should be monitored by inotify/ fanotify realtime scanner. +# Patterns can be absolute: +# /another/folder +# or relative to basedirs supplied by hosting control panels: +# +*/www +# This relative pattern will expand to /home/*/www for cPanel, for example. +# +# All patterns listed here have higher priority than stock watched and ignored +# lists supplied with Imunify360. diff --git a/sysctl.d/90-webshield-ip-local-reserved.conf b/sysctl.d/90-webshield-ip-local-reserved.conf new file mode 100644 index 0000000..7f306bc --- /dev/null +++ b/sysctl.d/90-webshield-ip-local-reserved.conf @@ -0,0 +1,2 @@ +# Reserve ports for webshield services +net.ipv4.ip_local_reserved_ports = 52223,52224,52227-52235 diff --git a/systemd/system/imunify-antivirus.service b/systemd/system/imunify-antivirus.service new file mode 120000 index 0000000..dc1dc0c --- /dev/null +++ b/systemd/system/imunify-antivirus.service @@ -0,0 +1 @@ +/dev/null \ No newline at end of file diff --git a/systemd/system/multi-user.target.wants/aibolit-resident.service b/systemd/system/multi-user.target.wants/aibolit-resident.service new file mode 120000 index 0000000..1e7a746 --- /dev/null +++ b/systemd/system/multi-user.target.wants/aibolit-resident.service @@ -0,0 +1 @@ +/usr/lib/systemd/system/aibolit-resident.service \ No newline at end of file diff --git a/systemd/system/multi-user.target.wants/imunify-antivirus.service b/systemd/system/multi-user.target.wants/imunify-antivirus.service new file mode 120000 index 0000000..20bf47a --- /dev/null +++ b/systemd/system/multi-user.target.wants/imunify-antivirus.service @@ -0,0 +1 @@ +/usr/lib/systemd/system/imunify-antivirus.service \ No newline at end of file diff --git a/systemd/system/multi-user.target.wants/imunify-notifier.service b/systemd/system/multi-user.target.wants/imunify-notifier.service new file mode 120000 index 0000000..a7f2509 --- /dev/null +++ b/systemd/system/multi-user.target.wants/imunify-notifier.service @@ -0,0 +1 @@ +/usr/lib/systemd/system/imunify-notifier.service \ No newline at end of file diff --git a/systemd/system/multi-user.target.wants/imunify360-pam.service b/systemd/system/multi-user.target.wants/imunify360-pam.service new file mode 120000 index 0000000..91a3346 --- /dev/null +++ b/systemd/system/multi-user.target.wants/imunify360-pam.service @@ -0,0 +1 @@ +/usr/lib/systemd/system/imunify360-pam.service \ No newline at end of file diff --git a/systemd/system/multi-user.target.wants/imunify360-php-daemon.service b/systemd/system/multi-user.target.wants/imunify360-php-daemon.service new file mode 120000 index 0000000..b50c5f4 --- /dev/null +++ b/systemd/system/multi-user.target.wants/imunify360-php-daemon.service @@ -0,0 +1 @@ +/usr/lib/systemd/system/imunify360-php-daemon.service \ No newline at end of file diff --git a/systemd/system/multi-user.target.wants/imunify360-wafd.service b/systemd/system/multi-user.target.wants/imunify360-wafd.service new file mode 120000 index 0000000..8b71805 --- /dev/null +++ b/systemd/system/multi-user.target.wants/imunify360-wafd.service @@ -0,0 +1 @@ +/usr/lib/systemd/system/imunify360-wafd.service \ No newline at end of file diff --git a/systemd/system/multi-user.target.wants/imunify360-webshield.service b/systemd/system/multi-user.target.wants/imunify360-webshield.service new file mode 120000 index 0000000..00862d2 --- /dev/null +++ b/systemd/system/multi-user.target.wants/imunify360-webshield.service @@ -0,0 +1 @@ +/usr/lib/systemd/system/imunify360-webshield.service \ No newline at end of file diff --git a/systemd/system/multi-user.target.wants/imunify360.service b/systemd/system/multi-user.target.wants/imunify360.service new file mode 120000 index 0000000..3e09591 --- /dev/null +++ b/systemd/system/multi-user.target.wants/imunify360.service @@ -0,0 +1 @@ +/usr/lib/systemd/system/imunify360.service \ No newline at end of file diff --git a/systemd/system/sockets.target.wants/aibolit-resident.socket b/systemd/system/sockets.target.wants/aibolit-resident.socket new file mode 120000 index 0000000..1158ff5 --- /dev/null +++ b/systemd/system/sockets.target.wants/aibolit-resident.socket @@ -0,0 +1 @@ +/usr/lib/systemd/system/aibolit-resident.socket \ No newline at end of file diff --git a/systemd/system/sockets.target.wants/imunify-antivirus-sensor.socket b/systemd/system/sockets.target.wants/imunify-antivirus-sensor.socket new file mode 120000 index 0000000..bf98d30 --- /dev/null +++ b/systemd/system/sockets.target.wants/imunify-antivirus-sensor.socket @@ -0,0 +1 @@ +/usr/lib/systemd/system/imunify-antivirus-sensor.socket \ No newline at end of file diff --git a/systemd/system/sockets.target.wants/imunify-antivirus-user.socket b/systemd/system/sockets.target.wants/imunify-antivirus-user.socket new file mode 120000 index 0000000..3f16202 --- /dev/null +++ b/systemd/system/sockets.target.wants/imunify-antivirus-user.socket @@ -0,0 +1 @@ +/usr/lib/systemd/system/imunify-antivirus-user.socket \ No newline at end of file diff --git a/systemd/system/sockets.target.wants/imunify-antivirus.socket b/systemd/system/sockets.target.wants/imunify-antivirus.socket new file mode 120000 index 0000000..08686b9 --- /dev/null +++ b/systemd/system/sockets.target.wants/imunify-antivirus.socket @@ -0,0 +1 @@ +/usr/lib/systemd/system/imunify-antivirus.socket \ No newline at end of file diff --git a/systemd/system/sockets.target.wants/imunify-notifier.socket b/systemd/system/sockets.target.wants/imunify-notifier.socket new file mode 120000 index 0000000..468bb9a --- /dev/null +++ b/systemd/system/sockets.target.wants/imunify-notifier.socket @@ -0,0 +1 @@ +/usr/lib/systemd/system/imunify-notifier.socket \ No newline at end of file diff --git a/systemd/system/sockets.target.wants/imunify360-php-daemon.socket b/systemd/system/sockets.target.wants/imunify360-php-daemon.socket new file mode 120000 index 0000000..0b0015f --- /dev/null +++ b/systemd/system/sockets.target.wants/imunify360-php-daemon.socket @@ -0,0 +1 @@ +/usr/lib/systemd/system/imunify360-php-daemon.socket \ No newline at end of file diff --git a/wafd_imunify/i360.ini b/wafd_imunify/i360.ini new file mode 100644 index 0000000..7354c74 --- /dev/null +++ b/wafd_imunify/i360.ini @@ -0,0 +1,18 @@ +# Path to UNIX socket +#socket=/var/run/imunify360/libiplists-daemon.sock + +# Log file path +#log=/var/log/imunify360/pam.log + +# Sentry error reporting (must be an "on" or "off", default on) +#sentry=off + +#shared_key_file=/opt/i360_wafd_imunify/key +#request_timeout_ms=60000 +#response_timeout_ms=0 +#whitelist_ipset= +#remote_proxy_ipset= +#blacklist_ipset= +#graylist_ipset= +#splash_ipset= +#user_name=imunify360-webshield diff --git a/yum.repos.d/imunify-rollout.repo b/yum.repos.d/imunify-rollout.repo new file mode 100644 index 0000000..dfe6e40 --- /dev/null +++ b/yum.repos.d/imunify-rollout.repo @@ -0,0 +1,63 @@ +[imunify360-rollout-1] +name=Imunify360 - Gradual Rollout Slot 1 +baseurl=https://download.imunify360.com/el/$releasever/slot-1/x86_64/ +enabled=1 +gpgcheck=1 +gpgkey=https://repo.imunify360.cloudlinux.com/defense360/RPM-GPG-KEY-CloudLinux +skip_if_unavailable=True + +[imunify360-rollout-1-bypass] +name=Imunify360 - Gradual Rollout Slot 1 Bypass +baseurl=https://download.imunify360.com/el/$releasever/slot-1-bypass/x86_64/ +enabled=0 +gpgcheck=1 +gpgkey=https://repo.imunify360.cloudlinux.com/defense360/RPM-GPG-KEY-CloudLinux +skip_if_unavailable=True + +[imunify360-rollout-2] +name=Imunify360 - Gradual Rollout Slot 2 +baseurl=https://download.imunify360.com/el/$releasever/slot-2/x86_64/ +enabled=1 +gpgcheck=1 +gpgkey=https://repo.imunify360.cloudlinux.com/defense360/RPM-GPG-KEY-CloudLinux +skip_if_unavailable=True + +[imunify360-rollout-2-bypass] +name=Imunify360 - Gradual Rollout Slot 2 Bypass +baseurl=https://download.imunify360.com/el/$releasever/slot-2-bypass/x86_64/ +enabled=0 +gpgcheck=1 +gpgkey=https://repo.imunify360.cloudlinux.com/defense360/RPM-GPG-KEY-CloudLinux +skip_if_unavailable=True + +[imunify360-rollout-3] +name=Imunify360 - Gradual Rollout Slot 3 +baseurl=https://download.imunify360.com/el/$releasever/slot-3/x86_64/ +enabled=1 +gpgcheck=1 +gpgkey=https://repo.imunify360.cloudlinux.com/defense360/RPM-GPG-KEY-CloudLinux +skip_if_unavailable=True + +[imunify360-rollout-3-bypass] +name=Imunify360 - Gradual Rollout Slot 3 Bypass +baseurl=https://download.imunify360.com/el/$releasever/slot-3-bypass/x86_64/ +enabled=0 +gpgcheck=1 +gpgkey=https://repo.imunify360.cloudlinux.com/defense360/RPM-GPG-KEY-CloudLinux +skip_if_unavailable=True + +[imunify360-rollout-4] +name=Imunify360 - Gradual Rollout Slot 4 +baseurl=https://download.imunify360.com/el/$releasever/slot-4/x86_64/ +enabled=1 +gpgcheck=1 +gpgkey=https://repo.imunify360.cloudlinux.com/defense360/RPM-GPG-KEY-CloudLinux +skip_if_unavailable=True + +[imunify360-rollout-4-bypass] +name=Imunify360 - Gradual Rollout Slot 4 Bypass +baseurl=https://download.imunify360.com/el/$releasever/slot-4-bypass/x86_64/ +enabled=0 +gpgcheck=1 +gpgkey=https://repo.imunify360.cloudlinux.com/defense360/RPM-GPG-KEY-CloudLinux +skip_if_unavailable=True \ No newline at end of file