ServerBuddies Support Blog

csf LF_SCRIPT_ALERT option

This option will notify you when a large amount of email is sent from a particular script on the server, helping track down spam scripts.

Spam Protection Alerts

If you want to add some spam protection, CSF can help. Look in the configuraiton for the following:

LF_SCRIPT_ALERT = 0 change this to 1. This will send an email alert to the system administrator when the limit configured below is reached within an hour.

LF_SCRIPT_LIMIT = 100 change this to 250. This will alert you when any scripts sends out 250 email messages in an hour.

This setting will then send an alert email if more than LF_SCRIPT_LIMIT lines appear with the same cwd= path in them within an hour. This can be useful in identifying spamming scripts on a server, especially PHP scripts running under the nobody account. The email that is sent includes the exim log lines and also attempts to find scripts that send email in the path that may be the culprit.

The limit after which the email alert for email scripts is sent. Care should be taken with this value if you allow clients to use web scripts to maintain pseudo-mailing lists which have large recipients.

Reference: http://www.configserver.com

File protection with chmod

chmod 400 file To protect a file against accidental overwriting.
chmod 500 directory To protect yourself from accidentally removing, renaming or moving files from this directory.
chmod 600 file A private file only changeable by the user who entered this command.
chmod 644 file A publicly readable file that can only be changed by the issuing user.
chmod 660 file Users belonging to your group can change this file, others don’t have any access to it at all.
chmod 700 file Protects a file against any access from other users, while the issuing user still has full access.
chmod 755 directory For files that should be readable and executable by others, but only changeable by the issuing user.
chmod 775 file Standard file sharing mode for a group.
chmod 777 file Everybody can do everything to this file.

.htaccess Hotlink protection for files on your server.

You can stop others from hotlinking your site’s files by placing a file called .htaccess in your Apache site root (main) directory. The period before the name means the file is hidden.

Example: Your site url is www.mysite.com. To stop hotlinking of your images from other sites and display a replacement image called nohotlink.jpe placed in your images directory, place this code in your .htaccess file:

The first line of the above code begins the rewrite. The second line matches any requests from your own mysite.com url. The [NC] code means “No Case”, meaning match the url regardless of being in upper or lower case letters. The third line means allow empty referrals. The last line matches any files ending with the extension jpeg, jpg, gif, bmp, or png. This is then replaced by the blockhotlink.jpe file in your images directory. This JPEG image is using the extension jpe instead of jpg to prevent blocking your own replacement image.

Disable ICMP Redirect and Enable IP Spoofing Protection

ICMP redirects are used by routers to tell the server that there is a better path to other networks than the one chosen by the server.

However, an intruder could potentially use ICMP redirect packets to alter the hosts’s routing table by causing traffic to use a path you didn’t intend.

To disable ICMP Redirect Acceptance, edit the /etc/sysctl.conf file and add the following line:

# Do not accept ICMP redirects (prevent MITM attacks)

Enable IP Spoofing Protection

IP spoofing is a technique where an intruder sends out packets which claim to be from another host by manipulating the source address. IP spoofing is very often used for denial of service attacks.

To enable IP Spoofing Protection, turn on Source Address Verification.

Edit the /etc/sysctl.conf file and add the following line: