Tracking Settings

Distributed Attack Tracking

Distributed attack tracking - LF_DISTATTACK
Enable the tracking of login failures from distributed IP addresses to a specific application account. If the number of failures matches the application trigger then all of the IP addresses involved in the attack will be blocked. Tracking applies to LF_SSHD, LF_FTPD, LF_SMTPAUTH, LF_POP3D, LF_IMAPD, LF_HTACCESS.
Default: 0 Range: 0-1

Distributed attack trigger - LF_DISTATTACK_UNIQ
The minimum number of unique IP addresses that trigger LF_DISTATTACK.
Default: 2 Range: 2-20

Distributed tracking interval - LF_DIST_INTERVAL
The interval in seconds during which a distributed FTP is measured.
Default: 300 Range: 60-86400

Distributed tracking event script - LF_DIST_ACTION
The path to a script that will run when a distributed FTP login event is triggered.
Default: empty

Distributed FTP Tracking

Distributed FTP limit - LF_DISTFTP
Keep track of successful FTP logins. If the number of successful logins to an individual account is at least LF_DISTFTP in LF_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses then all of the IP addresses will be blocked. To disable this option set to 0.
Default: 0 Range: 0-20

Distributed FTP trigger - LF_DISTFTP_UNIQ
The minimum number of unique IP addresses that trigger LF_DISTFTP. LF_DISTFTP_UNIQ must be less than or equal to LF_DISTFTP for this to function properly.
Default: 3 Range: 2-20

Distributed FTP block time - LF_DISTFTP_PERM
Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for).
Default: 1 Range: 0-604800

Distributed SMTP Tracking

Distributed SMTP limit - LF_DISTSMTP
Keep track of successful SMTP logins (Postfix only). If the number of successful logins to an individual account is at least LF_DISTSMTP in LF_DIST_INTERVAL from at least LF_DISTSMTP_UNIQ IP addresses, then all of the IP addresses will be blocked. To disable this option set to 0. This option can help mitigate the common SMTP account compromise attacks that use a distributed network of zombies to send spam. A sensible setting for this might be 5, depending on how many different IP addresses you expect to an individual SMTP account within LF_DIST_INTERVAL.
Default: 0 Range: 0-20

Distributed SMTP trigger - LF_DISTSMTP_UNIQ
The minimum number of unique IP addresses that trigger LF_DISTSMTP. LF_DISTSMTP_UNIQ must be less than or equal to LF_DISTSMTP for this to function properly.
Default: 3 Range: 2-20

Distributed SMTP block time - LF_DISTSMTP_PERM
Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for).
Default: 1 Range: 0-604800

Login Tracking

Login tracking POP3 limit - LT_POP3D
Block POP3 logins if greater than LT_POP3D times per hour per account per IP address. This is a temporary block for the rest of the hour, then the IP address is unblocked. To disable this option set to 0.
Default: 0 Range: 0-180

Login tracking IMAP limit - LT_IMAPD
Block IMAP logins if greater than LT_IMAPD times per hour per account per IP address. This is a temporary block for the rest of the hour, then the IP address is unblocked. To disable this option set to 0.
Default: 0 Range: 0-180

Skip permanent blocking for login tracking - LT_SKIPPERMBLOCK
Do not Permanently block IP addresses blocked via LT_POP3D or LT_IMAPD tracking.
Default: 0 Range: 0-1

Connection Tracking

Connection tracking limit - CT_LIMIT
Enable the tracking of all connections from IP addresses to the server. If the total number of connections is greater than this option then the offending IP address is blocked. This can help stop some types of DOS attack. To disable this option set to 0. Warning: Do not set this number too low. A recommended setting would be around 500.
Default: 0 Range: 0|10-1000

Connection tracking subnet limit - CT_SUBNET_LIMIT
If the total number of connections from a class C subnet is greater than this value then the offending subnet is blocked according to the other CT_* settings. This option can be used to help prevent some types of DOS attack where a range of IPs between x.y.z.1-255 has connected to the server. If you use a reverse proxy service such as Cloudflare you should not enable this option, or should exclude the ports that you have proxied in CT_PORTS To disable this feature, set this to 0. Warning: Do not set this number too low.
Default: 0

Connection tracking interval - CT_INTERVAL
The number of seconds between connection tracking scans.
Default: 30 Range: 10-3600

Connection tracking permanent blocking - CT_PERMANENT
Enable permanent blocking for an IP address when blocked due to connection tracking.
Default: 0 Range: 0-1

Connection tracking block time - CT_BLOCK_TIME
The interval in seconds that the IP will remained blocked for.
Default: 1800 Range: 300-86400

Skip TIME_WAIT state - CT_SKIP_TIME_WAIT
Do not count the TIME_WAIT state against the connection count.
Default: 0 Range: 0-1

Connection tracking states - CT_STATES
Only count specific states (e.g. SYN_RECV,TIME_WAIT) for connection tracking. An empty value will count all states against CT_LIMIT.
Default: empty

Connection tracking ports - CT_PORTS
Only count specific ports (e.g. 80,443) for connection tracking. An empty value will count all ports against CT_LIMIT.
Default: empty

Process Tracking

Process tracking limit - PT_LIMIT
Enable the tracking of processes and examine them for suspicious executables or open network ports. If a suspicious process is found an alert email is sent. This option is the number of seconds a process has to be active before it is inspected. To disable this option set to 0.
Default: 0 Range: 0-3600

Process tracking interval - PT_INTERVAL
The interval in seconds for how frequently processes are checked.
Default: 60 Range: 10-3600

Skip tracking of HTTP scripts - PT_SKIP_HTTP
Do not enable process tracking to highlight php or perl scripts that are run.
Default: 0 Range: 0-1

Track all user accounts - PT_ALL_USERS
Enable the tracking of all linux accounts on the server. This is recommended to improve security from compromised accounts.
Default: 0 Range: 0-1

Skip deleted processes - PT_DELETED
Report deleted binary processes.
Default: 0 Range: 0-1

Deleted process event script - PT_DELETED_ACTION
The full path to a script that is run when a PT_DELETED event is triggered. The action script must have the execute bit and its interpreter set.
Default: empty

User process limit - PT_USERPROC
Track the number of processes any given account is running at one time. If the number of processes exceeds the value of the following setting an email alert is sent with details of those processes. To disable this option set to 0.
Default: 10 Range: 0-100

User process memory limit - PT_USERMEM
Send an alert if any user process exceeds the memory usage set (MB). To disable this option set to 0.
Default: 512 Range: 0-1024

User process RSS memory limit - PT_USERRSS
Send an alert if any user process exceeds the RSS memory usage set (MB) - RAM used, not virtual. To ignore specific processes or users use Process Tracking Ignore. Default: 256 Range: 0-1024

User process time limit - PT_USERTIME
Sends an alert if any user process exceeds the time usage set (in seconds). To disable this option set to 0.
Default: 1800 Range: 0-86400

User process killing - PT_USERKILL
Enable the killing of processes detected by PT_USERMEM, PT_USERTIME or PT_USERPROC. (not recommended)
Default: 0 Range: 0-1

User process event script - PT_USER_ACTION
The full path to a script that is run when a PT_USERKILL event is triggered. The action script must have the execute bit and its interpreter set.
Default: empty

Load level checking interval - PT_LOAD
Check the PT_LOAD_AVG minute Load Average on the server every PT_LOAD seconds. If the load average is greater than or equal to PT_LOAD_LEVEL then an email alert is sent. The login falure deamon does not report high load events until PT_LOAD_SKIP seconds has passed to prevent email floods. To disable this option set to 0.
Default: 30 Range: 0-3600

Load level average - PT_LOAD_AVG
The process tracking load average.
Default: 5 Range: 1|5|15

Load level alert limit - PT_LOAD_LEVEL
The process tracking load level.
Default: 6 Range: 2-20

Skip load level alert interval - PT_LOAD_SKIP
The login failure daemon does not report subsequent high load events until PT_LOAD_SKIP seconds has passed to prevent email floods.
Default: 3600 Range: 1800-86400

Apache server status URL - PT_APACHESTATUS
The Apache Server Status URL used in the load average email alert. The Apache mod_status module is required.
Default: http://localhost:7080/server-status

Load level event script - PT_LOAD_ACTION
The full path to a script that is run when a PT_LOAD event is triggered. The action script must have the execute bit and its interpreter set.
Default: empty

Forkbomb limit - PT_FORKBOMB Check the number of processes with the same session id and if greater than the value set, the whole session tree is terminated and an alert sent.
Default: 0 Range: 0|100-1000

Terminate hung SSHD sessions - PT_SSHDHUNG
Terminate hung SSHD sessions. When under an SSHD login attack, SSHD processes are often left hung after their connecting IP addresses have been blocked. This option will terminate all processes with the cmdline of "sshd: unknown [net]" or "sshd: unknown [priv]" if they have been running for more than 60 seconds. Note: It is possible that enabling this option may have adverse effects on valid SSHD processes. If this is the case, this option should be disabled.
Default: 0 Range: 0-1

Port Scan Tracking

Port scan tracking interval - PS_INTERVAL
If an IP address generates a port block that is logged more than PS_LIMIT within PS_INTERVAL seconds, the IP address will be blocked. To disable this option set to 0.
Default: 0 Range: 0|60-3600

Port scan tracking limit - PS_LIMIT
If an IP address generates a port block that is logged more than PS_LIMIT within PS_INTERVAL seconds, the IP address will be blocked.
Default: 10 Range: 2-20

Port scan tracking ports - PS_PORTS
The ports / port ranges that should be tracked by the Port Scan Tracking feature.
Default: 0:65535,ICMP

Port scan tracking diversity - PS_DIVERSITY
How many different ports qualifies as a port scan. Raising this value above 1 means that persistent attempts to attack a specific closed port will not be detected and blocked.
Default: 1 Range: 1-100

Port scan tracking permanent blocking - PS_PERMANENT
Make port scan tracking blocks Permanent.
Default: 0 Range: 0-1

Port scan tracking block time - PS_BLOCK_TIME
The port scan tracking temporary block time in seconds.
Default: 3600 Range: 300-86400

User ID Tracking

User ID tracking interval - UID_INTERVAL
Enable user ID tracking. Track UID blocks logged by iptables to syslog. If a UID generates a port block that is logged more than UID_LIMIT times within UID_INTERVAL seconds, an alert will be sent.
Default: 0 Range: 0|60-86400

User ID tracking limit - UID_LIMIT
The number of times within UID_INTERVAL before an alert will be sent.
Default: 10 Range: 1-100

User ID tracking port range - UID_PORTS
The port or port ranges that should be tracked by the User ID tracking feature. The default setting of 0:65535,ICMP covers all ports.
Default: 0:65535,ICMP

Account Tracking

Account tracking - AT_ALERT
Enable the tracking of modifications to the accounts on a server. If account tracking options are triggered then an alert email is sent.
Default: 2 Range: 0-2

Account tracking interval - AT_INTERVAL
The interval in seconds between account tracking checking.
Default: 60 Range: 10-3600

Related Pages