Table of Contents

CSF firewall install

Installing perl dependencies:

CentOS:

yum install bind-utils perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch perl-GDGraph perl-IO-Socket-SSL.noarch perl-Net-SSLeay perl-Net-LibIDN perl-IO-Socket-INET6 perl-Socket6 perl-IO-Socket-Multicast ipset -y

Debian/Ubuntu:

apt install libwww-perl liblwp-protocol-https-perl libtemplate-plugin-gd-perl ipset

Then CSF installing:

cd /usr/src
rm -fv csf.tgz
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

Disable alerts

LF_EMAIL_ALERT = "0"
LF_PERMBLOCK_ALERT = "0"

Increase interval to track login and other LF_ failures

LF_INTERVAL = "86400"

Analize user runned proccesses

grep 'User Processing' /var/log/lfd.log | grep -o "EXE:.*" | awk '{ print $1 }' | sort | uniq | sed -e 's/EXE/exe/g'

Block bad bots (DirectAdmin servers)

Quick:

csf -d 46.229.160.0/20 do not delete abuser SemRush
csf -d 216.244.64.0/24 do not delete abuser DotBot
csf -d 54.36.148.0/23 do not delete abuser AhrefsBot
csf -d 151.80.39.0/24 do not delete abuser AhrefsBot

DirectAdmin Search:

grep -h MJ12bot /var/log/httpd/domains/*.log | awk '{print $1}' | sort | uniq | awk '{print "csf -d "$1" do not delete abuser MJ12bot"}' | sh
grep -h DotBot /var/log/httpd/domains/*.log | awk '{print $1}' | sort | uniq | awk '{print "csf -d "$1" do not delete abuser DotBot"}' | sh
grep -h BUbiNG /var/log/httpd/domains/*.log | awk '{print $1}' | sort | uniq | awk '{print "csf -d "$1" do not delete abuser BUbiNG"}' | sh
grep -h AhrefsBot /var/log/httpd/domains/*.log | awk '{print $1}' | sort | uniq | awk '{print "csf -d "$1" do not delete abuser AhrefsBot"}' | sh
grep -h BLEXBot /var/log/httpd/domains/*.log | awk '{print $1}' | sort | uniq | awk '{print "csf -d "$1" do not delete abuser BLEXBot"}' | sh
# if not needed
grep -h Yandex /var/log/httpd/domains/*.log | awk '{print $1}' | sort | uniq | awk '{print "csf -d "$1" do not delete abuser YandexBot"}' | sh

DirectAdmin Search at once:

egrep -h 'SemRush|MJ12bot|DotBot|BUbiNG|AhrefsBot|BLEXBot|SMTBot|MauiBot' /var/log/httpd/domains/*.log | awk '{print $1}' | sort | uniq | awk '{print "csf -d "$1" do not delete abuser BADBOT"}' | sh

Cpanel Search at once:

egrep -h 'SemRush|MJ12bot|DotBot|BUbiNG|AhrefsBot|BLEXBot|SMTBot|MauiBot' /etc/apache2/logs/domlogs/* | awk '{print $1}' | sort | uniq | awk '{print "csf -d "$1" do not delete abuser BADBOT"}' | sh

Find bad bot'd

awk -F\" '{print $6}' /var/log/httpd/domains/*.log | sort | uniq -c | sort -n | tail

WordPress attacts on NGINX vhost parser

Add to cron:

#block bruteforce
* * * * * root /bin/egrep -h "POST.*wp-login.php.*200" /var/log/nginx/domains/*.log | /bin/awk '{print $1}' | /bin/sort | /usr/bin/uniq -c | /bin/awk '$1>=5{print "/usr/sbin/csf -d "$2" wp-login abuser"}' | /bin/sh >/dev/null 2>&1
#block xmlrpc attack
* * * * * root /bin/egrep -h "POST.*xmlrpc.php.*200" /var/log/nginx/domains/*.log | /bin/awk '{print $1}' | /bin/sort | /usr/bin/uniq -c | /bin/awk '$1>=5{print "/usr/sbin/csf -d "$2" xmlrpc abuser"}' | /bin/sh >/dev/null 2>&1
#bad bots block
*/30 * * * * root /bin/egrep -h 'MJ12bot|DotBot|BUbiNG|AhrefsBot|BLEXBot|SMTBot' /var/log/nginx/domains/*.log | /bin/awk '{print $1}' | /bin/sort | /usr/bin/uniq | /bin/awk '{print "/usr/sbin/csf -d "$1" do not delete abuser BADBOT"}' | /bin/sh

WordPress attacts on HTTPD vhost parser

/bin/egrep -h "POST.*wp-login.php.*200" /var/log/httpd/domains/*.log | /bin/awk '{print $1}' | /bin/sort | /usr/bin/uniq -c | /bin/awk '$1>=5{print "/usr/sbin/csf -d "$2" wp-login abuser"}' | /bin/sh
/bin/egrep -h "POST.*xmlrpc.php.*200" /var/log/httpd/domains/*.log | /bin/awk '{print $1}' | /bin/sort | /usr/bin/uniq -c | /bin/awk '$1>=5{print "/usr/sbin/csf -d "$2" xmlrpc abuser"}' | /bin/sh

Add dynamic domain names

In csf.conf edit

DYNDNS = "600"

To csf.dyndns add Your wanted domain

tcp|out|d=25|d=smtp.google.com -- edit appropriately for ports/hostnames etc.

Restart CSF

csf -ra

Messanger HTTPS enable

In csf.conf add ports which should be redirected to non https:

MESSENGER_HTTPS_IN = "443,2222"

DirectAdmin enable SSL (SNI) - only for CentOS7:

MESSENGER_HTTPS_CONF = "/usr/local/directadmin/data/users/*/httpd.conf"