====== CSF firewall install ======

Installing perl dependencies: 

CentOS:
<code bash>
yum install bind-utils perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch perl-GDGraph perl-IO-Socket-SSL.noarch perl-Net-SSLeay perl-Net-LibIDN perl-IO-Socket-INET6 perl-Socket6 perl-IO-Socket-Multicast ipset -y
</code>

Debian/Ubuntu:
<code bash>
apt install libwww-perl liblwp-protocol-https-perl libtemplate-plugin-gd-perl ipset
</code>

Then CSF installing:
<code bash>
cd /usr/src
rm -fv csf.tgz
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
</code>

===== Disable alerts =====

  * Disable all email alerts:
<code bash>
LF_EMAIL_ALERT = "0"
</code>

  * Disable PERM BLOCK alerts:
<code bash>
LF_PERMBLOCK_ALERT = "0"
</code>

===== Increase interval to track login and other LF_ failures =====
<code>
LF_INTERVAL = "86400"
</code>

===== Analize user runned proccesses =====

<code bash>
grep 'User Processing' /var/log/lfd.log | grep -o "EXE:.*" | awk '{ print $1 }' | sort | uniq | sed -e 's/EXE/exe/g'
</code>

===== Useful links =====

  * https://jparks.work/index.php?title=CSF_Firewall
  * https://forum.directadmin.com/showthread.php?t=49424&p=254279#post254279
  * https://www.knownhost.com/wiki/security/csf-lfd/notifications
  * https://www.memset.com/blog/block-wordpress-dos-attacks-cpanel/
  * https://tecadmin.net/how-to-enable-csf-firewall-web-ui/

===== Block bad bots (DirectAdmin servers) =====

Quick:
<code bash>
csf -d 46.229.160.0/20 do not delete abuser SemRush
csf -d 216.244.64.0/24 do not delete abuser DotBot
csf -d 54.36.148.0/23 do not delete abuser AhrefsBot
csf -d 151.80.39.0/24 do not delete abuser AhrefsBot

</code>

DirectAdmin Search:
<code bash>
grep -h MJ12bot /var/log/httpd/domains/*.log | awk '{print $1}' | sort | uniq | awk '{print "csf -d "$1" do not delete abuser MJ12bot"}' | sh
grep -h DotBot /var/log/httpd/domains/*.log | awk '{print $1}' | sort | uniq | awk '{print "csf -d "$1" do not delete abuser DotBot"}' | sh
grep -h BUbiNG /var/log/httpd/domains/*.log | awk '{print $1}' | sort | uniq | awk '{print "csf -d "$1" do not delete abuser BUbiNG"}' | sh
grep -h AhrefsBot /var/log/httpd/domains/*.log | awk '{print $1}' | sort | uniq | awk '{print "csf -d "$1" do not delete abuser AhrefsBot"}' | sh
grep -h BLEXBot /var/log/httpd/domains/*.log | awk '{print $1}' | sort | uniq | awk '{print "csf -d "$1" do not delete abuser BLEXBot"}' | sh
# if not needed
grep -h Yandex /var/log/httpd/domains/*.log | awk '{print $1}' | sort | uniq | awk '{print "csf -d "$1" do not delete abuser YandexBot"}' | sh
</code>

DirectAdmin Search at once:
<code bash>
egrep -h 'SemRush|MJ12bot|DotBot|BUbiNG|AhrefsBot|BLEXBot|SMTBot|MauiBot' /var/log/httpd/domains/*.log | awk '{print $1}' | sort | uniq | awk '{print "csf -d "$1" do not delete abuser BADBOT"}' | sh
</code>

Cpanel Search at once:
<code bash>
egrep -h 'SemRush|MJ12bot|DotBot|BUbiNG|AhrefsBot|BLEXBot|SMTBot|MauiBot' /etc/apache2/logs/domlogs/* | awk '{print $1}' | sort | uniq | awk '{print "csf -d "$1" do not delete abuser BADBOT"}' | sh
</code>

Find bad bot'd
<code bash>
awk -F\" '{print $6}' /var/log/httpd/domains/*.log | sort | uniq -c | sort -n | tail
</code>
===== WordPress attacts on NGINX vhost parser =====

Add to cron:

<code bash>
#block bruteforce
* * * * * root /bin/egrep -h "POST.*wp-login.php.*200" /var/log/nginx/domains/*.log | /bin/awk '{print $1}' | /bin/sort | /usr/bin/uniq -c | /bin/awk '$1>=5{print "/usr/sbin/csf -d "$2" wp-login abuser"}' | /bin/sh >/dev/null 2>&1
#block xmlrpc attack
* * * * * root /bin/egrep -h "POST.*xmlrpc.php.*200" /var/log/nginx/domains/*.log | /bin/awk '{print $1}' | /bin/sort | /usr/bin/uniq -c | /bin/awk '$1>=5{print "/usr/sbin/csf -d "$2" xmlrpc abuser"}' | /bin/sh >/dev/null 2>&1
#bad bots block
*/30 * * * * root /bin/egrep -h 'MJ12bot|DotBot|BUbiNG|AhrefsBot|BLEXBot|SMTBot' /var/log/nginx/domains/*.log | /bin/awk '{print $1}' | /bin/sort | /usr/bin/uniq | /bin/awk '{print "/usr/sbin/csf -d "$1" do not delete abuser BADBOT"}' | /bin/sh
</code>

===== WordPress attacts on HTTPD vhost parser =====

<code bash>
/bin/egrep -h "POST.*wp-login.php.*200" /var/log/httpd/domains/*.log | /bin/awk '{print $1}' | /bin/sort | /usr/bin/uniq -c | /bin/awk '$1>=5{print "/usr/sbin/csf -d "$2" wp-login abuser"}' | /bin/sh
/bin/egrep -h "POST.*xmlrpc.php.*200" /var/log/httpd/domains/*.log | /bin/awk '{print $1}' | /bin/sort | /usr/bin/uniq -c | /bin/awk '$1>=5{print "/usr/sbin/csf -d "$2" xmlrpc abuser"}' | /bin/sh
</code>

===== Add dynamic domain names =====

In csf.conf edit
<code>
DYNDNS = "600"
</code>
To csf.dyndns add Your wanted domain
<code>
tcp|out|d=25|d=smtp.google.com -- edit appropriately for ports/hostnames etc.
</code>
Restart CSF
<code>
csf -ra
</code>

===== Messanger HTTPS enable =====

In csf.conf add ports which should be redirected to non https:
<code>
MESSENGER_HTTPS_IN = "443,2222"
</code>

DirectAdmin enable SSL (SNI) - only for CentOS7:
<code>
MESSENGER_HTTPS_CONF = "/usr/local/directadmin/data/users/*/httpd.conf"
</code>