Configure the messenger service to display a message to a blocked IP address.
juggernaut --task=lfd:messengerOption |
Value | Default | Description |
|---|---|---|---|
--MESSENGER |
<1|0>> | 1 | Display a message to a blocked connecting IP address to inform the user that they are blocked by the firewall. The service is provided by two daemons running on ports providing either an HTML or TEXT message. The iptables module ipt_REDIRECT is required. |
--MESSENGER_TEMP |
<1|0> | 1 | Show the message to temporary IP address blocks. |
--MESSENGER_PERM |
<1|0> | 1 | Show the message permanent IP address blocks. |
--MESSENGER_USER |
<string> | csf | The user account to run the messenger service servers under. |
--MESSENGER_CHILDREN |
<2-200> | 20 | The maximum concurrent connections allowed to each service server. |
--MESSENGER_RATE |
<string> | 100/s | Limit the rate at which connections can be made to the messenger service servers. See the iptables man page for the correct --limit rate syntax. |
--MESSENGER_BURST |
<digit> | 150 | The maximum initial number of packets to match. |
--MESSENGERV3 |
<1|0> | 0 | This uses the web server http daemon to provide the web server functionality for the MESSENGER HTML and HTTPS services. It uses a fraction of the resources that the lfd inbuilt service uses and overcomes the memory overhead of using the MESSENGER HTTPS service. This option requires that the PHP packages from your OS vendor are installed and that FAST-CGI support is enabled in Apache. |
--MESSENGERV3LOCATION |
<string> | /etc/httpd/conf.d/ | The file or directory where the additional web server configuration file should be included. |
--MESSENGERV3RESTART |
<string> | systemctl restart httpd | The command to restart the web server. |
--MESSENGERV3TEST |
<string> | /usr/sbin/apachectl -t | The command to test the validity of the web server configuration. If using Litespeed, set to empty. |
--MESSENGERV3HTTPS_CONF |
<string> | /etc/httpd/conf/httpd.conf | The main httpd.conf file for either Apache or Litespeed. |
--MESSENGERV3WEBSERVER |
<apache|litespeed> | apache | Set to apache for servers running Apache v2.4+ or litespeed for Litespeed. |
--MESSENGERV3PERMS |
<digit> | 711 | On creation, set the MESSENGER_USER public_html directory permissions to. Note: If you precreate this directory the following setting will be ignored. |
--MESSENGERV3GROUP |
<string> | apache | On creation, set the MESSENGER_USER public_html directory group user to. Note: If you precreate this directory the following setting will be ignored. |
--MESSENGERV3PHPHANDLER |
<string> | Include /etc/csf/csf_php.conf | The web server configuration to allow PHP scripts to run. This should be set as an "Include /home/csf/csf_php.conf" or similar file which must contain appropriate web server configuration to allow PHP scripts to run. This line will be included within each MESSENGER VirtualHost container. This will replace the [MESSENGERV3PHPHANDLER] line from the csf webserver template files. |
--MESSENGER_HTTPS |
<string> | 8887 | Set this to the port that will receive the HTTPS HTML message. You should configure this port to be >1023 and different from the TEXT and HTML port. Do NOT enable access to this port in TCP_IN. This option requires the perl module IO::Socket::SSL at a version level that supports SNI (1.83+). Additionally the version of openssl on the server must also support SNI. The option uses existing SSL certificates on the server for each domain to maintain a secure connection without browser warnings. It uses SNI to choose the correct certificate to use for each client connection. |
--MESSENGER_HTTPS_IN |
<digit1,digit2> | 443,7081,8443 | This comma separated list are the HTTPS HTML ports that will be redirected for the blocked IP address. If you are using per application blocking (LF_TRIGGER) then only the relevant block port will be redirected to the messenger port. Recommended setting 443 plus any end-user control panel SSL ports. |
--MESSENGER_HTTPS_IN_add |
Add a single entry to MESSENGER_HTTPS_IN. | ||
--MESSENGER_HTTPS_IN_del |
Remove a single entry from MESSENGER_HTTPS_IN. | ||
--MESSENGER_HTTPS_CONF |
<string> | /etc/httpd/conf/plesk.conf.d//.conf | This option points to the file(s) containing the Apache VirtualHost SSL definitions. This can be a file glob if there are multiple files to search. Only Apache v2 SSL VirtualHost definitions are supported. |
--MESSENGER_HTTPS_KEY |
<string> | /etc/pki/tls/private/localhost.key | The following options can be specified to provide a default fallback certificate to be used if either SNI is not supported or a hosted domain does not have an SSL certificate. If a fallback is not provided, one of the certs obtained from MESSENGER_HTTPS_CONF will be used. |
--MESSENGER_HTTPS_CRT |
<string> | /etc/pki/tls/certs/localhost.crt | The following options can be specified to provide a default fallback certificate to be used if either SNI is not supported or a hosted domain does not have an SSL certificate. If a fallback is not provided, one of the certs obtained from MESSENGER_HTTPS_CONF will be used. |
--MESSENGER_HTML |
<string> | 8888 | The port that will receive the HTML message. You should configure this port to be greater than 1023 and different from the TEXT port. Do NOT enable access to this port in TCP_IN |
--MESSENGER_HTML_IN |
<digit1,digit2> | 80,7080,8880 | The HTML ports (comma separated) that will be redirected for the blocked IP address. If you are using per application blocking (LF_TRIGGER) then only the relevant block port will be redirected to the messenger port. |
--MESSENGER_HTML_IN_add |
Add a single entry to MESSENGER_HTML_IN. | ||
--MESSENGER_HTML_IN_del |
Remove a single entry from MESSENGER_HTML_IN. | ||
--MESSENGER_TEXT |
<string> | 8889 | The port that will receive the TEXT message. You should configure this port to be greater than 1023 and different from the HTML port. Do NOT enable access to this port in TCP_IN. |
--MESSENGER_TEXT_IN |
<digit1,digit2> | 21 | The TEXT ports that will be redirected for the blocked IP address. If you are using per application blocking (LF_TRIGGER) then only the relevant block port will be redirected to the messenger port. |
--MESSENGER_TEXT_IN_add |
Add a single entry to MESSENGER_TEXT_IN. | ||
--MESSENGER_TEXT_IN_del |
Remove a single entry from MESSENGER_TEXT_IN. | ||
--RECAPTCHA_SITEKEY |
<string> | The RECAPTCHA options provide a way for end-users that have blocked themselves in the firewall to unblock themselves. A valid Google ReCAPTCHA (v2) is required for this feature from: https://www.google.com/recaptcha/intro/index.html. This feature requires the installation of the LWP::UserAgent perl module. Note: An unblock will fail if the end-users IP is located in a netblock, blocklist or CC_* deny entry | |
--RECAPTCHA_SECRET |
<string> | When configuring a new reCAPTCHA API key set, you must ensure that the option for Domain Name Validation is unticked so that the same reCAPTCHA can be used for all domains hosted on the server. lfd then checks that the hostname of the request resolves to an IP on this server. | |
--RECAPTCHA_NAT |
<digit1,digit2> | If the server uses NAT then resolving the hostname to hosted IPs will likely not succeed. In that case, the external IP addresses must be listed as comma separated comma separated list here. | |
--RECAPTCHA_NAT_add |
Add a single entry to RECAPTCHA_NAT. | ||
--RECAPTCHA_NAT_del |
Remove a single entry from RECAPTCHA_NAT. | ||
--default |
<yes> | Reset all settings to their default values. | |
--default_option |
<option> | Reset a specific setting to its default value. | |
--restart |
<yes> | Restart the service after saving settings. |
// enable MESSENGER
juggernaut --task=lfd:messenger --MESSENGER=1 --restart=yes
// reset MESSENGER back to default
juggernaut --task=lfd:messenger --default_option=MESSENGER --restart=yes
// reset all settings back to default
juggernaut --task=lfd:messenger --default=yes --restart=yes