Distributed attack tracking - LF_DISTATTACK
Enable the tracking of login failures from distributed IP addresses to a specific application account. If the number of
failures matches the application trigger then all of the IP addresses involved in the attack will be blocked. Tracking
applies to LF_SSHD, LF_FTPD, LF_SMTPAUTH, LF_POP3D, LF_IMAPD, LF_HTACCESS.
Default: 0 Range: 0-1
Distributed attack trigger - LF_DISTATTACK_UNIQ
The minimum number of unique IP addresses that trigger LF_DISTATTACK.
Default: 2 Range: 2-20
Distributed tracking interval - LF_DIST_INTERVAL
The interval in seconds during which a distributed FTP is measured.
Default: 300 Range: 60-86400
Distributed tracking event script - LF_DIST_ACTION
The path to a script that will run when a distributed FTP login event is triggered.
Default: empty
Distributed FTP limit - LF_DISTFTP
Keep track of successful FTP logins. If the number of successful logins to an individual account is at least LF_DISTFTP
in LF_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses then all of the IP addresses will be blocked. To disable this
option set to 0.
Default: 0 Range: 0-20
Distributed FTP trigger - LF_DISTFTP_UNIQ
The minimum number of unique IP addresses that trigger LF_DISTFTP. LF_DISTFTP_UNIQ must be less than or equal to
LF_DISTFTP for this to function properly.
Default: 3 Range: 2-20
Distributed FTP block time - LF_DISTFTP_PERM
Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to
temporarily block for).
Default: 1 Range: 0-604800
Distributed SMTP limit - LF_DISTSMTP
Keep track of successful SMTP logins (Postfix only). If the number of successful logins to an individual account is at
least LF_DISTSMTP in LF_DIST_INTERVAL from at least LF_DISTSMTP_UNIQ IP addresses, then all of the IP addresses will be
blocked. To disable this option set to 0. This option can help mitigate the common SMTP account compromise attacks that
use a distributed network of zombies to send spam. A sensible setting for this might be 5, depending on how many
different IP addresses you expect to an individual SMTP account within LF_DIST_INTERVAL.
Default: 0 Range: 0-20
Distributed SMTP trigger - LF_DISTSMTP_UNIQ
The minimum number of unique IP addresses that trigger LF_DISTSMTP. LF_DISTSMTP_UNIQ must be less than or equal to
LF_DISTSMTP for this to function properly.
Default: 3 Range: 2-20
Distributed SMTP block time - LF_DISTSMTP_PERM
Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to
temporarily block for).
Default: 1 Range: 0-604800
Login tracking POP3 limit - LT_POP3D
Block POP3 logins if greater than LT_POP3D times per hour per account per IP address. This is a temporary block for the
rest of the hour, then the IP address is unblocked. To disable this option set to 0.
Default: 0 Range: 0-180
Login tracking IMAP limit - LT_IMAPD
Block IMAP logins if greater than LT_IMAPD times per hour per account per IP address. This is a temporary block for the
rest of the hour, then the IP address is unblocked. To disable this option set to 0.
Default: 0 Range: 0-180
Skip permanent blocking for login tracking - LT_SKIPPERMBLOCK
Do not Permanently block IP addresses blocked via LT_POP3D or LT_IMAPD tracking.
Default: 0 Range: 0-1
Connection tracking limit - CT_LIMIT
Enable the tracking of all connections from IP addresses to the server. If the total number of connections is greater
than this option then the offending IP address is blocked. This can help stop some types of DOS attack. To disable this
option set to 0. Warning: Do not set this number too low. A recommended setting would be around 500.
Default: 0 Range: 0|10-1000
Connection tracking subnet limit - CT_SUBNET_LIMIT
If the total number of connections from a class C subnet is greater than this value then the offending subnet is blocked according to the other CT_* settings.
This option can be used to help prevent some types of DOS attack where a range of IPs between x.y.z.1-255 has connected to the server.
If you use a reverse proxy service such as Cloudflare you should not enable this option, or should exclude the ports that you have proxied in CT_PORTS To disable this feature, set this to 0.
Warning: Do not set this number too low.
Default: 0
Connection tracking interval - CT_INTERVAL
The number of seconds between connection tracking scans.
Default: 30 Range: 10-3600
Connection tracking permanent blocking - CT_PERMANENT
Enable permanent blocking for an IP address when blocked due to connection tracking.
Default: 0 Range: 0-1
Connection tracking block time - CT_BLOCK_TIME
The interval in seconds that the IP will remained blocked for.
Default: 1800 Range: 300-86400
Skip TIME_WAIT state - CT_SKIP_TIME_WAIT
Do not count the TIME_WAIT state against the connection count.
Default: 0 Range: 0-1
Connection tracking states - CT_STATES
Only count specific states (e.g. SYN_RECV,TIME_WAIT) for connection tracking. An empty value will count all states
against CT_LIMIT.
Default: empty
Connection tracking ports - CT_PORTS
Only count specific ports (e.g. 80,443) for connection tracking. An empty value will count all ports against CT_LIMIT.
Default: empty
Process tracking limit - PT_LIMIT
Enable the tracking of processes and examine them for suspicious executables or open network ports. If a suspicious
process is found an alert email is sent. This option is the number of seconds a process has to be active before it is
inspected. To disable this option set to 0.
Default: 0 Range: 0-3600
Process tracking interval - PT_INTERVAL
The interval in seconds for how frequently processes are checked.
Default: 60 Range: 10-3600
Skip tracking of HTTP scripts - PT_SKIP_HTTP
Do not enable process tracking to highlight php or perl scripts that are run.
Default: 0 Range: 0-1
Track all user accounts - PT_ALL_USERS
Enable the tracking of all linux accounts on the server. This is recommended to improve security from compromised
accounts.
Default: 0 Range: 0-1
Skip deleted processes - PT_DELETED
Report deleted binary processes.
Default: 0 Range: 0-1
Deleted process event script - PT_DELETED_ACTION
The full path to a script that is run when a PT_DELETED event is triggered. The action script must have the execute bit
and its interpreter set.
Default: empty
User process limit - PT_USERPROC
Track the number of processes any given account is running at one time. If the number of processes exceeds the value of
the following setting an email alert is sent with details of those processes. To disable this option set to 0.
Default: 10 Range: 0-100
User process memory limit - PT_USERMEM
Send an alert if any user process exceeds the memory usage set (MB). To disable this option set to 0.
Default: 512 Range: 0-1024
User process RSS memory limit - PT_USERRSS
Send an alert if any user process exceeds the RSS memory usage set (MB) - RAM used, not virtual. To ignore specific processes or users use Process Tracking Ignore.
Default: 256 Range: 0-1024
User process time limit - PT_USERTIME
Sends an alert if any user process exceeds the time usage set (in seconds). To disable this option set to 0.
Default: 1800 Range: 0-86400
User process killing - PT_USERKILL
Enable the killing of processes detected by PT_USERMEM, PT_USERTIME or PT_USERPROC. (not recommended)
Default: 0 Range: 0-1
User process event script - PT_USER_ACTION
The full path to a script that is run when a PT_USERKILL event is triggered. The action script must have the execute bit
and its interpreter set.
Default: empty
Load level checking interval - PT_LOAD
Check the PT_LOAD_AVG minute Load Average on the server every PT_LOAD seconds. If the load average is greater than or
equal to PT_LOAD_LEVEL then an email alert is sent. The login falure deamon does not report high load events until
PT_LOAD_SKIP seconds has passed to prevent email floods. To disable this option set to 0.
Default: 30 Range: 0-3600
Load level average - PT_LOAD_AVG
The process tracking load average.
Default: 5 Range: 1|5|15
Load level alert limit - PT_LOAD_LEVEL
The process tracking load level.
Default: 6 Range: 2-20
Skip load level alert interval - PT_LOAD_SKIP
The login failure daemon does not report subsequent high load events until PT_LOAD_SKIP seconds has passed to prevent
email floods.
Default: 3600 Range: 1800-86400
Apache server status URL - PT_APACHESTATUS
The Apache Server Status URL used in the load average email alert. The Apache mod_status module is required.
Default: http://localhost:7080/server-status
Load level event script - PT_LOAD_ACTION
The full path to a script that is run when a PT_LOAD event is triggered. The action script must have the execute bit and
its interpreter set.
Default: empty
Forkbomb limit - PT_FORKBOMB
Check the number of processes with the same session id and if greater than the value set, the whole session tree is
terminated and an alert sent.
Default: 0 Range: 0|100-1000
Terminate blocked IP SSHD sessions - PT_SSHDKILL
Terminate hung SSHD sessions. When under an SSHD login attack, SSHD processes are often left hung after their connecting IP addresses have been blocked.
This option will terminate the SSH processes created by the blocked IP. This option is preferred over PT_SSHDHUNG.
Default: 0 Range: 0-1
Terminate hung SSHD sessions - PT_SSHDHUNG
Terminate hung SSHD sessions. When under an SSHD login attack, SSHD processes are often left hung after their connecting
IP addresses have been blocked. This option will terminate all processes with the cmdline of "sshd: unknown [net]" or
"sshd: unknown [priv]" if they have been running for more than 60 seconds. Note: It is possible that enabling this
option may have adverse effects on valid SSHD processes. If this is the case, this option should be disabled.
Default: 0 Range: 0-1
Port scan tracking interval - PS_INTERVAL
If an IP address generates a port block that is logged more than PS_LIMIT within PS_INTERVAL seconds, the IP address
will be blocked. To disable this option set to 0.
Default: 0 Range: 0|60-3600
Port scan tracking limit - PS_LIMIT
If an IP address generates a port block that is logged more than PS_LIMIT within PS_INTERVAL seconds, the IP address
will be blocked.
Default: 10 Range: 2-20
Port scan tracking ports - PS_PORTS
The ports / port ranges that should be tracked by the Port Scan Tracking feature.
Default: 0:65535,ICMP
Port scan tracking diversity - PS_DIVERSITY
How many different ports qualifies as a port scan. Raising this value above 1 means that persistent attempts to attack a
specific closed port will not be detected and blocked.
Default: 1 Range: 1-100
Port scan tracking permanent blocking - PS_PERMANENT
Make port scan tracking blocks Permanent.
Default: 0 Range: 0-1
Port scan tracking block time - PS_BLOCK_TIME
The port scan tracking temporary block time in seconds.
Default: 3600 Range: 300-86400
User ID tracking interval - UID_INTERVAL
Enable user ID tracking. Track UID blocks logged by iptables to syslog. If a UID generates a port block that is logged
more than UID_LIMIT times within UID_INTERVAL seconds, an alert will be sent.
Default: 0 Range: 0|60-86400
User ID tracking limit - UID_LIMIT
The number of times within UID_INTERVAL before an alert will be sent.
Default: 10 Range: 1-100
User ID tracking port range - UID_PORTS
The port or port ranges that should be tracked by the User ID tracking feature. The default setting of 0:65535,ICMP
covers all ports.
Default: 0:65535,ICMP
Account tracking - AT_ALERT
Enable the tracking of modifications to the accounts on a server. If account tracking options are triggered then an
alert email is sent.
Default: 2 Range: 0-2
Account tracking interval - AT_INTERVAL
The interval in seconds between account tracking checking.
Default: 60 Range: 10-3600