CSF + CloudFlare + Spamhuas

Replacing Cloudflare with CSF Firewall – Install Guide

 

###############################################################################

# Copyright 2006-2013, Way to the Web Limited
# URL: http://www.configserver.com
# Email: sales@waytotheweb.com
###############################################################################
# This file contains definitions to IP BLOCK lists.
#
# Uncomment the line starting with the rule name to use it, then restart csf
# and then lfd
#
# Each block list must be listed on per line: as NAME|INTERVAL|MAX|URL
#   NAME    : List name with all uppercase alphabetic characters with no
#             spaces and a maximum of 9 characters – this will be used as the
#             iptables chain name
#   INTERVAL: Refresh interval to download the list, must be a minimum of 3600
#             seconds (an hour), but 86400 (a day) should be more than enough
#   MAX     : This is the maximum number of IP addresses to use from the list,
#             a value of 0 means all IPs
#   URL     : The URL to download the list from
#
# Note: Some of thsese lists are very long (thousands of IP addresses) and
# could cause serious network and/or performance issues, so setting a value for
# the MAX field should be considered
#
# After making any changes to this file you must restart csf and then lfd
#
# If you want to redownload a blocklist you must first delete
# /etc/csf/csf.block.NAME and then restart csf and then lfd
#
# Each URL is scanned for an IPv4/CIDR address per line and if found is blocked
# Spamhaus Don’t Route Or Peer List (DROP)
# Details: http://www.spamhaus.org/drop/
SPAMDROP|86400|100|http://www.spamhaus.org/drop/drop.lasso
# Spamhaus Extended DROP List (EDROP)
# Details: http://www.spamhaus.org/drop/
SPAMEDROP|86400|100|http://www.spamhaus.org/drop/edrop.lasso
# DShield.org Recommended Block List
# Details: http://dshield.org
DSHIELD|86400|100|http://feeds.dshield.org/block.txt
# TOR Exit Nodes
# Details: https://trac.torproject.org/projects/tor/wiki/doc/TorDNSExitList
TOR|86400|100|http://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1
# BOGON list
# Details: http://www.team-cymru.org/Services/Bogons/
BOGON|86400|100|http://www.cymru.com/Documents/bogon-bn-agg.txt
# Project Honey Pot Directory of Dictionary Attacker IPs
# Details: http://www.projecthoneypot.org
HONEYPOT|86400|100|http://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1
# C.I. Army Malicious IP List
# Details: http://www.ciarmy.com
CIARMY|86400|100|http://www.ciarmy.com/list/ci-badguys.txt
# BruteForceBlocker IP List
# Details: http://danger.rulez.sk/index.php/bruteforceblocker/
BFB|86400|100|http://danger.rulez.sk/projects/bruteforceblocker/blist.php
# Emerging Threats – Russian Business Networks List
# Details: http://doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork
RBN|86400|100|http://rules.emergingthreats.net/blockrules/rbn-ips.txt
# OpenBL.org 30 day List
# Details: http://www.openbl.org
OPENBL|86400|100|http://www.us.openbl.org/lists/base_30days.txt
# Autoshun Shun List
# Details: http://www.autoshun.org/
AUTOSHUN|86400|100|http://www.autoshun.org/files/shunlist.csv
# MaxMind GeoIP Anonymous Proxies
# Details: http://www.maxmind.com/en/anonymous_proxies
MAXMIND|86400|100|http://www.maxmind.com/en/anonymous_proxies

CSF Config Advanced

http://community.mybb.com/thread-109982.html

 

Use CTRL + W to find the following, (one at a time)

Code:
CT_LIMIT
CT_SKIP_TIME_WAIT
SYNFLOOD

and adjust their values to look like this

Code:
CT_LIMIT = "50"
CT_SKIP_TIME_WAIT = "1"
SYNFLOOD = "1"

Now you are protected from DOS and SYN flood attacks, and will be notified by email when an IP is blocked.
——

Protection from spam attacks

You can configure CSF to block know spammers in the Dshield, Spamhaus and BOGON lists, to do this, open the CSF configuration file again,

Code:
cd /etc/csf
nano csf.conf

Use CTRL + W to find the following, (one at a time)

Code:
LF_DSHIELD = "0"
LF_SPAMHAUS = "0"
LF_BOGON = "0"

and adjust their values to look like this,

Code:
LF_DSHIELD = "86400"
LF_SPAMHAUS = "86400"
LF_BOGON = "86400"

BOGON is optional, I don’t recommend it as much.
Now your server and forum is protected from a huge list of known bad IP’s, ever growing.
———-

Other useful settings

You can block countries known to attack, find the following,

Code:
CC_DENY = " "

and modify it to suit your needs, so if you want to block all incoming traffic from Great Britain and China, adjust it like this,

Code:
CC_DENY = "GB,CN "

———-

You can configure lfd to watch directories for suspicious files, find the following,

Code:
LF_DIRWATCH

and give it a value of 300,

Code:
LF_DIRWATCH = "300"

If a suspicious file is found, you will receive an email.
———-

How to install CSF Firewall

yum install -y perl-libwww-perl
rm -fv csf.tgz
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
perl /etc/csf/csftest.pl
sh /etc/csf/remove_apf_bfd.sh

Change following in csf.conf and save your change and restart csf and lfd. 

SYNFLOOD = "1"
SYNFLOOD_RATE = "25/s"
SYNFLOOD_BURST = "80" 

VERBOSE = "1" 

PS_INTERVAL = "60"
PS_LIMIT = "5" 

LF_NETBLOCK = "1"
LF_NETBLOCK_INTERVAL = "86400"
LF_NETBLOCK_COUNT = "4"
LF_NETBLOCK_CLASS = "C"

http://www.directadmin.com/forum/showthread.php?p=142884

*LF_INTEGRITY = “3600” คือเชค ใน รอบ 1 ชม
*LF_TRIGGER_PERM = “3600” คือ ใครโดนเบนจะแบน 1 ชม
*DENY_TEMP_IP_LIMIT = “100” คือ ไอพีแบนสูงสุด 100 คน

แบบละเอียดล่าสุด

http://www.hosttook.com/wwd/announcements.php?id=21