{"id":25075,"date":"2021-09-09T23:36:36","date_gmt":"2021-09-09T16:36:36","guid":{"rendered":"https:\/\/doc.bnix.vn\/?p=25075"},"modified":"2022-08-14T07:05:45","modified_gmt":"2022-08-14T00:05:45","slug":"cac-thong-so-con-ban-trong-tuong-lua-csf","status":"publish","type":"post","link":"https:\/\/doc.bnix.vn\/cac-thong-so-con-ban-trong-tuong-lua-csf\/","title":{"rendered":"C\u00e1c th\u00f4ng s\u1ed1 c\u01a1n b\u1ea3n trong t\u01b0\u1eddng l\u1eeda CSF"},"content":{"rendered":"\n\n
B\u00e0i vi\u1ebft n\u00e0y s\u1ebd gi\u1edbi thi\u1ec7u \u0111\u1ebfn b\u1ea1n\u00a0c\u00e1c th\u00f4ng s\u1ed1 c\u01a1n b\u1ea3n trong t\u01b0\u1eddng l\u1eeda CSF. 2. C\u1ea5u h\u00ecnh c\u01a1 b\u1ea3n trong file csf.conf<\/strong><\/p>\n TESTING = \u201c0\u201d TESTING_INTERVAL = \u201c5\u201d AUTO_UPDATES = \u201c0\u201d TCP_IN = \u201c22,25,53,80,443\u201d TCP_OUT = \u201c25,80\u201d UDP_IN = \u201c53\u201d UDP_OUT = \u201c53\u201d ICMP_IN = \u201c1\u201d ICMP_IN_RATE = \u201c1\/s\u201d<\/p>\n Gi\u1edbi h\u1ea1n t\u1ea7n s\u1ed1 ping \u0111\u1ebfn server l\u00e0 1\/s. N\u1ebfu ping nhanh h\u01a1n t\u1ed1c \u0111\u1ed9 n\u00e0y s\u1ebd nh\u1eadn \u0111\u01b0\u1ee3c \u201cRequest timeout\u201d. Trong tr\u01b0\u1eddng h\u1ee3p n\u1ebfu nhi\u1ec1u ng\u01b0\u1eddi c\u00f9ng ping \u0111\u1ebfn server c\u00f9ng l\u00fac, th\u00ec ph\u1ea7n l\u1edbn s\u1ebd nh\u1eadn \u0111\u01b0\u1ee3c c\u00e1c ph\u1ea3n h\u1ed3i \u201cRequest timeout\u201d do server ch\u1ec9 nh\u1eadn 1 request\/s, \u0111i\u1ec1u n\u00e0y l\u00e0m ch\u00fang ta l\u1ea7m t\u01b0\u1edfng k\u1ebft n\u1ed1i m\u1ea1ng c\u00f3 v\u1ea5n \u0111\u1ec1, m\u1ea1ng b\u1ecb ch\u1eadp ch\u1eddn nh\u01b0ng th\u1eadt ra kh\u00f4ng ph\u1ea3i nh\u01b0 v\u1eady. Ch\u1ec9 c\u1ea7n n\u00e2ng th\u00f4ng s\u1ed1 n\u00e0y l\u00ean cao m\u1ed9t ch\u00fat ho\u1eb7c b\u1ecf lu\u00f4n ( set gi\u00e1 tr\u1ecb = 0 ) s\u1ebd kh\u1eafc ph\u1ee5c \u0111\u01b0\u1ee3c t\u00ecnh tr\u1ea1ng tr\u00ean.<\/p>\n ETH_DEVICE = \u201ceth0\u201d ETH_DEVICE_SKIP = \u201ceth1\u201d DENY_IP_LIMIT = \u201c500 LF_DAEMON = \u201c1\u201d LF_CSF = \u201c1\u201d PACKET_FILTER = \u201c1\u201d IPV6 = \u201c0\u201d SYNFLOOD = \u201c1\u201dSYNFLOOD_RATE = \u201c30\/s\u201dSYNFLOOD_BURST = \u201c40\u201d CONNLIMIT = \u201c80;20\u201d PORTFLOOD = \u201c80;tcp;20;5\u201d DROP_NOLOG = \u201c10050,10051\u201d CONNLIMIT_LOGGING = \u201c1\u201d LF_ALERT_TO = \u201cyour_email@your_domain.com\u201d LF_PERMBLOCK = \u201c1\u201dLF_PERMBLOCK_INTERVAL = \u201c86400\u201dLF_PERMBLOCK_COUNT = \u201c6\u201dLF_PERMBLOCK_ALERT = \u201c1\u201d LF_TRIGGER = \u201c1\u201d LF_TRIGGER_PERM = \u201c1\u201d. LF_SELECT = \u201c1\u201d LF_EMAIL_ALERT = \u201c1\u201d LF_SSHD = \u201c5\u201dLF_SSHD_PERM = \u201c1\u201d LF_FTPD = \u201c0\u201dLF_FTPD_PERM = \u201c1\u201d. T\u01b0\u01a1ng t\u1ef1 cho c\u00e1c d\u1ecbch v\u1ee5 c\u00f2n l\u1ea1i b\u00ean d\u01b0\u1edbi (SMTP , POP3 , IMAP , .htpasswd , mod_security\u2026)<\/p>\n LF_SSH_EMAIL_ALERT = \u201c0\u201d. LF_SU_EMAIL_ALERT = \u201c0\u201d. LF_DIRWATCH = \u201c3600\u201d. LF_DIRWATCH_DISABLE = \u201c1\u201d LF_DIRWATCH_FILE = \u201c60\u201d LF_INTEGRITY = \u201c0\u201d LF_DISTATTACK = \u201c0\u201d LF_DISTATTACK_UNIQ = \u201c2\u201d LT_POP3D = \u201c30\u201d LT_EMAIL_ALERT = \u201c0\u201d LT_SKIPPERMBLOCK = \u201c0\u201d CT_LIMIT = \u201c300\u201d CT_INTERVAL = \u201c30\u201d CT_EMAIL_ALERT = \u201c1\u201d CT_PERMANENT = \u201c0\u201d CT_BLOCK_TIME = \u201c1800\u201d CT_SKIP_TIME_WAIT = \u201c0\u201d CT_STATES = \u201cSYN_RECV\u201d CT_PORTS = \u201c80,443\u201d PS_INTERVAL = \u201c300\u201dPS_LIMIT = \u201c15\u201d PS_PORTS = \u201c0:65535,ICMP\u201d PS_PERMANENT = \u201c0\u201d PS_BLOCK_TIME = \u201c3600\u201d Ch\u00fac c\u00e1c b\u1ea1n th\u00e0nh c\u00f4ng!<\/p>\n","protected":false},"excerpt":{"rendered":" B\u00e0i vi\u1ebft n\u00e0y s\u1ebd gi\u1edbi thi\u1ec7u \u0111\u1ebfn b\u1ea1n\u00a0c\u00e1c th\u00f4ng s\u1ed1 c\u01a1n b\u1ea3n trong t\u01b0\u1eddng l\u1eeda…<\/p>\n","protected":false},"author":3,"featured_media":25076,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"footnotes":""},"categories":[49],"tags":[60,61,62],"class_list":["post-25075","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","tag-csf","tag-csf-firewall","tag-tuong-lua"],"_links":{"self":[{"href":"https:\/\/doc.bnix.vn\/wp-json\/wp\/v2\/posts\/25075","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/doc.bnix.vn\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/doc.bnix.vn\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/doc.bnix.vn\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/doc.bnix.vn\/wp-json\/wp\/v2\/comments?post=25075"}],"version-history":[{"count":0,"href":"https:\/\/doc.bnix.vn\/wp-json\/wp\/v2\/posts\/25075\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/doc.bnix.vn\/wp-json\/wp\/v2\/media\/25076"}],"wp:attachment":[{"href":"https:\/\/doc.bnix.vn\/wp-json\/wp\/v2\/media?parent=25075"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/doc.bnix.vn\/wp-json\/wp\/v2\/categories?post=25075"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/doc.bnix.vn\/wp-json\/wp\/v2\/tags?post=25075"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\n1. C\u01a1 b\u1ea3n v\u1ec1 CSF<\/strong>
\nFile c\u1ea5u h\u00ecnh n\u1eb1m \u1edf \/etc\/csf\/csf.conf, c\u00e1c file c\u00f2n l\u1ea1i \u0111\u01b0\u1ee3c nh\u1eafc \u0111\u1ebfn b\u00ean d\u01b0\u1edbi n\u1ebfu kh\u00f4ng n\u00eau r\u00f5 \u0111\u01b0\u1eddng d\u1eabn th\u00ec \u0111\u1ec1u n\u1eb1m \u1edf th\u01b0 m\u1ee5c \/etc\/csf\/
\nC\u00e1c tham s\u1ed1 khi c\u1ea5u h\u00ecnh c\u00f3 d\u1ea1ng ARGS = \u201cVALUE\u201d, trong \u0111\u00f3
\nVALUE = \u201c0\u201d => Disable
\nVALUE = \u201c1\u201d => Enable
\nVALUE > 1 (VALUE = \u201c20\u201d , VALUE = \u201c30\u201d \u2026 ): gi\u1edbi h\u1ea1n t\u1ed1i \u0111a.
\nVALUE >1 (VALUE = \u201c1800\u201d , VALUE = \u201c3600\u201d \u2026 ): th\u1eddi gian t\u1ed1i \u0111a.<\/p>\n
\nM\u1eb7c \u0111\u1ecbnh khi v\u1eeba c\u00e0i TESTING = \u201c1\u201d, v\u1edbi TESTING = \u201c1\u201d th\u00ec LFD daemon (Login Fail Detect daemon) s\u1ebd kh\u00f4ng ho\u1ea1t \u0111\u1ed9ng, do \u0111\u00f3 n\u1ebfu c\u00f3 g\u00ec sai s\u00f3t th\u00ec server c\u0169ng s\u1ebd kh\u00f4ng block IP c\u1ee7a b\u1ea1n. Khi c\u1ea3m th\u1ea5y c\u1ea5u h\u00ecnh \u0111\u00e3 \u1ed5n th\u00ec t\u1eaft TESTING \u0111\u1ec3 LFD b\u1eaft \u0111\u1ea7u ho\u1ea1t \u0111\u1ed9ng v\u00e0 ch\u1eb7n c\u00e1c IP t\u1ea5n c\u00f4ng.<\/p>\n
\nTh\u1eddi gian ch\u1ea1y cronjob \u0111\u1ec3 clear iptables n\u1ebfu nh\u01b0 TESTING=1, t\u00ednh b\u1eb1ng ph\u00fat.<\/p>\n
\nDisable auto update<\/p>\n
\nAllow incoming TCP ports: cho ng\u1eeboi d\u00f9ng k\u1ebft n\u1ed1i \u0111\u1ebfn c\u00e1c d\u1ecbch v\u1ee5 SSH, sendmail, DNS, Web tr\u00ean server.<\/p>\n
\nAllow outgoing TCP port: cho ph\u00e9p server k\u1ebft n\u1ed1i \u0111\u1ebfn web server, sendmail server kh\u00e1c.<\/p>\n
\nAllow incoming UDP ports: cho ph\u00e9p ng\u01b0\u1eddi d\u00f9ng s\u1eed d\u1ee5ng d\u1ecbch v\u1ee5 DNS tr\u00ean server.<\/p>\n
\nAllow outgoing UDP ports: cho ph\u00e9p server truy v\u1ea5n DNS b\u00ean ngo\u00e0i.<\/p>\n
\nCho ph\u00e9p ping \u0111\u1ebfn server.<\/p>\n
\nM\u1eb7c \u0111\u1ecbnh csf s\u1ebd c\u1ea5u h\u00ecnh iptables \u0111\u1ec3 filter traffic tr\u00ean to\u00e0n b\u1ed9 c\u00e1c card m\u1ea1ng, ngo\u1ea1i tr\u1eeb card loopback. N\u1ebfu nh\u01b0 b\u1ea1n mu\u1ed1n rules iptables ch\u1ec9 applied v\u00e0o card m\u1ea1ng \u201ceth0\u201d th\u00ec khai b\u00e1o \u1edf \u0111\u00e2y.<\/p>\n
\nN\u1ebfu b\u1ea1n kh\u00f4ng mu\u1ed1n rules iptables kh\u00f4ng applied v\u00e0o card m\u1ea1ng n\u00e0o th\u00ec khai b\u00e1o \u1edf \u0111\u00e2y. V\u00ed d\u1ee5 card \u201ceth1\u201d l\u00e0 card local, b\u1ea1n kh\u00f4ng mu\u1ed1n filter tr\u00ean card n\u00e0y th\u00ec c\u1ea5u h\u00ecnh nh\u01b0 tr\u00ean.<\/p>\n
\n\u201d
\nGi\u1edbi h\u1ea1n s\u1ed1 l\u01b0\u1ee3ng IP b\u1ecb block \u201cv\u0129nh vi\u1ec5n\u201d b\u1edfi CSF (c\u00e1c IP n\u00e0y \u0111\u01b0\u1ee3c l\u01b0u trong file \/etc\/csf\/csf.deny). Con s\u1ed1 n\u00e0y t\u00f9y thu\u1ed9c v\u00e0o resource c\u1ee7a m\u1ed7i server, n\u1ebfu d\u00f9ng VPS th\u00ec con s\u1ed1 n\u00e0y v\u00e0o kho\u1ea3ng \u201c200\u201d l\u00e0 h\u1ee3p l\u00fd, c\u00f2n dedicated server th\u00ec kho\u1ea3ng \u201c500\u201d. Khi s\u1ed1 l\u01b0\u1ee3ng IP b\u1ecb block v\u01b0\u1ee3t qua con s\u1ed1 n\u00e0y, csf s\u1ebd t\u1ef1 \u0111\u1ed9ng unblock IP c\u0169 nh\u1ea5t (IP \u1edf d\u00f2ng 1 c\u1ee7a file \/etc\/csf\/csf.deny).<\/p>\n
\nEnable t\u00ednh n\u0103ng Login fail detection.<\/p>\n
\nT\u1ef1 \u0111\u1ed9ng restart CSF khi csf b\u1ecb stop.<\/p>\n
\nFilter c\u00e1c g\u00f3i tin TCP kh\u00f4ng h\u1ee3p l\u1ec7 (INVALID state nh\u01b0 : sequence number kh\u00f4ng \u0111\u00fang , k\u1ebft n\u1ed1i ko \u0111\u01b0\u1ee3c th\u1ef1c hi\u1ec7n \u0111\u1ee7 qua 3 b\u01b0\u1edbc b\u1eaft tay\u2026)<\/p>\n
\nDisable IPV6 support<\/p>\n
\nEnable synflood protection: N\u1ebfu 1 IP g\u1eedi 30 c\u00fa SYN trong v\u00f2ng 1s v\u00e0 s\u1ed1 l\u01b0\u1ee3ng SYN connection t\u1ed3n t\u1ea1i tr\u00ean server \u0111\u1ea1t tr\u00ean 40 th\u00ec block IP \u0111\u00f3 (temp block).<\/p>\n
\nGi\u1edbi h\u1ea1n s\u1ed1 l\u01b0\u1ee3ng new concurrent connection \u0111\u1ebfn server tr\u00ean m\u1ed7i IP. V\u00ed d\u1ee5 tr\u00ean c\u00f3 ngh\u0129a: m\u1ed7i IP \u0111\u01b0\u1ee3c ph\u00e9p m\u1edf 20 concurrent new connection \u0111\u1ebfn port 80 tr\u00ean server.<\/p>\n
\nGi\u1edbi h\u1ea1n s\u1ed1 l\u01b0\u1ee3ng connection \u0111\u1ebfn m\u1ed9t port c\u1ee5 th\u1ec3 trong m\u1ed9t kho\u1ea3ng th\u1eddi gian nh\u1ea5t \u0111\u1ecbnh. V\u00ed d\u1ee5 nh\u01b0 tr\u00ean c\u00f3 ngh\u0129a: n\u1ebfu nhi\u1ec1u h\u01a1n 20 k\u1ebft n\u1ed1i tcp \u0111\u1ebfn port 80 trong v\u00f2ng 5s th\u00ec block IP \u0111\u00f3 t\u1ed1i thi\u1ec3u 5s t\u00ednh t\u1eeb packet cu\u1ed1i c\u00f9ng c\u1ee7a IP \u0111\u00f3. Sau 5s IP \u0111\u00f3 s\u1ebd t\u1ef1 \u0111\u1ed9ng \u0111\u01b0\u1ee3c unlock v\u00e0 truy c\u1eadp b\u00ecnh th\u01b0\u1eddng.<\/p>\n
\nDanh s\u00e1ch c\u00e1c port khi b\u1ecb drop s\u1ebd kh\u00f4ng c\u1ea7n ph\u1ea3i ghi v\u00e0o log.<\/p>\n
\nGhi log c\u00e1c IP v\u01b0\u1ee3t qu\u00e1 gi\u1edbi h\u1ea1n CONNLIMIT c\u1ea5u h\u00ecnh \u1edf b\u01b0\u1edbc tr\u00ean.<\/p>\n
\nM\u1eb7c \u0111\u1ecbnh to\u00e0n b\u1ed9 email th\u00f4ng b\u00e1o s\u1ebd \u0111\u01b0\u1ee3c g\u1eedi v\u1ec1 root c\u1ee7a server. N\u1ebfu b\u1ea1n mu\u1ed1n g\u1eedi \u0111\u1ebfn \u0111\u1ecba ch\u1ec9 email kh\u00e1c th\u00ec khai b\u00e1o \u1edf \u0111\u00e2y.<\/p>\n
\nEnable t\u00ednh n\u0103ng block v\u0129nh vi\u1ec5n m\u1ed9t IP. N\u1ebfu m\u1ed9t IP b\u1ecb temp ban (ban t\u1ea1m) 6 l\u1ea7n khi vi ph\u1ea1m c\u00e1c rule s\u1ebd block ip n\u00e0y 86400s ( 1 ng\u00e0y) \u0111\u1ed3ng th\u1eddi g\u1eedi email v\u1ec1 cho ng\u01b0\u1eddi qu\u1ea3n tr\u1ecb bi\u1ebft.<\/p>\n
\nEnable t\u00ednh n\u0103ng Login Fail Detect cho t\u1eebng d\u1ecbch v\u1ee5 c\u1ee5 th\u1ec3 (\u0111\u01b0\u1ee3c khai b\u00e1o b\u00ean d\u01b0\u1edbi).<\/p>\n
\nKhi LF_TRIGGER = \u201c1\u201d th\u00ec c\u00f3 th\u1ec3 enable LF_TRIGGER_PERM \u0111\u1ec3 k\u00edch ho\u1ea1t block IP permanent.
\n+ LF_TRIGGER_PERM = \u201c1\u201d => IP s\u1ebd b\u1ecb block permanent.
\n+ LF_TRIGGER_PERM = \u201c86400\u201d => IP s\u1ebd b\u1ecb block 1 ng\u00e0y.<\/p>\n
\nKhi m\u1ed9t IP vi ph\u1ea1m c\u00e1c rule c\u1ee7a LFD thay v\u00ec block to\u00e0n b\u1ed9 traffic t\u1eeb IP n\u00e0y \u0111\u1ebfn server th\u00ec ch\u1ec9 block traffic \u0111\u1ebfn d\u1ecbch v\u1ee5 m\u00e0 IP n\u00e0y login fail (v\u00ed d\u1ee5 login ftp sai nhi\u1ec1u l\u1ea7n th\u00ec block truy c\u1eadp \u0111\u1ebfn FTP nh\u01b0ng v\u1eabn cho ph\u00e9p truy c\u1eadp v\u00e0o website).<\/p>\n
\nG\u1eedi email th\u00f4ng b\u00e1o n\u1ebfu m\u1ed9t IP b\u1ecb block b\u1edfi c\u00e1c trigger b\u00ean d\u01b0\u1edbi.<\/p>\n
\nN\u1ebfu login SSH sai 5 l\u1ea7n th\u00ec s\u1ebd b\u1ecb block IP (temp block).
\nN\u1ebfu b\u1ecb temp block l\u1edbn h\u01a1n s\u1ed1 l\u1ea7n quy \u0111\u1ecbnh \u1edf LF_PERMBLOCK_COUNT (c\u1ea5u h\u00ecnh b\u01b0\u1edbc tr\u00ean) th\u00ec s\u1ebd block permanent.<\/p>\n
\nKh\u00f4ng k\u00edch ho\u1ea1t login fail detect cho d\u1ecbch v\u1ee5 FTP.<\/p>\n
\nKh\u00f4ng g\u1eedi email th\u00f4ng b\u00e1o khi c\u00f3 m\u1ed9t ai \u0111\u00f3 login th\u00e0nh c\u00f4ng th\u00f4ng qua SSH.<\/p>\n
\nKh\u00f4ng g\u1eedi email th\u00f4ng b\u00e1o khi c\u00f3 m\u1ed9t ng\u01b0\u1eddi d\u00f9ng \u201csu\u201d (switch user) qua ng\u01b0\u1eddi d\u00f9ng kh\u00e1c. Kh\u00f4ng g\u1eedi email khi h\u1ecd d\u00f9ng l\u1ec7nh \u201csu\u201d, b\u1ea5t k\u1ec3 \u201csu\u201d th\u00e0nh c\u00f4ng ho\u1eb7c th\u1ea5t b\u1ea1i.<\/p>\n
\nLFD s\u1ebd check th\u01b0 m\u1ee5c \/tmp v\u00e0 \/dev\/shm \u0111\u1ecbnh k\u1ef3 sau m\u1ed7i 3600s, n\u1ebfu ph\u00e1t hi\u1ec7n ra c\u00e1c file nghi v\u1ea5n l\u00e0 file \u0111\u1ed9c h\u1ea1i s\u1ebd g\u1eedi email th\u00f4ng b\u00e1o \u0111\u1ebfn cho ch\u00fang ta. Th\u01b0\u1eddng th\u00ec tr\u00ean server th\u01b0 m\u1ee5c, \/temp v\u00e0 \/dev\/shm ph\u00e2n quy\u1ec1n cho ph\u00e9p m\u1ecdi ng\u01b0\u1eddi d\u00f9ng c\u00f3 quy\u1ec1n ghi tr\u00ean th\u01b0 m\u1ee5c n\u00e0y, do \u0111\u00f3 c\u00e1c attacker l\u1ee3i d\u1ee5ng \u0111i\u1ec1u n\u00e0y \u0111\u1ec3 ghi m\u00e3 \u0111\u1ed9c v\u00e0o \u0111\u00e2y (c\u00e1c file \u0111\u1ec3 back connect, local root exploit\u2026)<\/p>\n
\nKhi ph\u00e1t hi\u1ec7n ra c\u00e1c file nghi v\u1ea5n \u1edf th\u01b0 m\u1ee5c \/tmp v\u00e0 \/dev\/shm s\u1ebd mv ch\u00fang kh\u1ecfi 2 th\u01b0 m\u1ee5c tr\u00ean v\u00e0 append v\u00e0o file \/etc\/csf\/suspicious.tar, thu\u1eadn ti\u1ec7n cho ch\u00fang ta theo d\u00f5i, ph\u00e2n t\u00edch v\u1ec1 sau v\u00e0 ph\u1ea7n n\u00e0o v\u00f4 hi\u1ec7u h\u00f3a cu\u1ed9c t\u1ea5n c\u00f4ng c\u1ee7a attacker.<\/p>\n
\nTheo d\u00f5i s\u1ef1 thay \u0111\u1ed5i c\u1ee7a c\u00e1c file v\u00e0 th\u01b0 m\u1ee5c, n\u1ebfu c\u00f3 thay \u0111\u1ed5i g\u1eedi email th\u00f4ng b\u00e1o v\u1ec1 cho ch\u00fang ta. \u0110\u1ec3 theo d\u00f5i file\/th\u01b0 m\u1ee5c n\u00e0o th\u00ec add ch\u00fang v\u00e0o file csf.dirwatch. C\u1ea5u h\u00ecnh nh\u01b0 tr\u00ean th\u00ec 60s ch\u1ea1y 1 l\u1ea7n.<\/p>\n
\nKi\u1ec3m tra t\u00ednh to\u00e0n v\u1eb9n c\u1ee7a h\u1ec7 \u0111i\u1ec1u h\u00e0nh b\u1eb1ng c\u00e1ch so s\u00e1nh MD5 c\u1ee7a c\u00e1c file binary khi LFD start v\u1edbi MD5 c\u1ee7a c\u00e1c file \u0111\u00f3 l\u00fac ki\u1ec3m tra. N\u1ebfu kh\u00e1c nhau th\u00ec s\u1ebd g\u1eedi email th\u00f4ng b\u00e1o. T\u00ednh n\u0103ng n\u00e0y c\u00f3 th\u1ec3 s\u1ebd ho\u1ea1t \u0111\u1ed9ng kh\u00f4ng ch\u00ednh x\u00e1c khi h\u1ec7 th\u1ed1ng update v\u00e0 s\u1ebd t\u0103ng I\/O, load c\u1ee7a server do ph\u1ea3i t\u00ednh to\u00e1n MD5 r\u1ea5t nhi\u1ec1u l\u1ea7n.<\/p>\n
\nPh\u00e1t hi\u1ec7n t\u1ea5n c\u00f4ng brute force t\u1eeb m\u1ea1ng botnet. N\u1ebfu nh\u01b0 m\u1ed9t account b\u1ecb login sai qu\u00e1 gi\u1edbi h\u1ea1n cho ph\u00e9p t\u1eeb nhi\u1ec1u IP kh\u00e1c nhau th\u00ec s\u1ebd block to\u00e0n b\u1ed9 IP \u0111\u00e3 login sai.<\/p>\n
\nS\u1ed1 l\u01b0\u1ee3ng IP t\u1ed1i thi\u1ec3u \u0111\u1ec3 nh\u1eadn bi\u1ebft \u0111\u00e2y l\u00e0 t\u1ea5n c\u00f4ng ph\u00e2n t\u00e1n.<\/p>\n
\nBlock login POP3 n\u1ebfu m\u1ed9t account \u0111\u01b0\u1ee3c login nhi\u1ec1u h\u01a1n 30 l\u1ea7n trong 1 gi\u1edd t\u1eeb 1 IP. T\u01b0\u01a1ng t\u1ef1 cho LT_IMAPD.<\/p>\n
\nSend email khi m\u1ed9t account v\u01b0\u1ee3t qu\u00e1 gi\u1edbi h\u1ea1n cho ph\u00e9p c\u1ee7a LT_IMAPD v\u00e0 LT_POP3D.<\/p>\n
\nKh\u00f4ng \u00e1p d\u1ee5ng permanent block cho LT_POP3D\/LT_IMAPD.<\/p>\n
\nGi\u1edbi h\u1ea1n s\u1ed1 l\u01b0\u1ee3ng connection t\u1eeb m\u1ed9t IP \u0111\u1ebfn server. N\u1ebfu s\u1ed1 l\u01b0\u1ee3ng \u0111\u00f3 v\u01b0\u1ee3t qu\u00e1 300 th\u00ec temp block IP \u0111\u00f3.<\/p>\n
\nC\u00e1c l\u1ea7n scan \u0111\u1ec3 ki\u1ec3m tra c\u00e1ch nhau 30s.<\/p>\n
\nG\u1eedi email th\u00f4ng b\u00e1o n\u1ebfu m\u1ed9t IP b\u1ecb block b\u1edfi connection tracking.<\/p>\n
\nDisable block permanent cho connectiong tracking.<\/p>\n
\nTh\u1eddi gian block m\u1ed9t IP n\u1ebfu nh\u01b0 vi ph\u1ea1m Connection tracking limit.<\/p>\n
\nKhi \u0111\u1ebfm s\u1ed1 l\u01b0\u1ee3ng connection t\u1eeb 1 IP \u0111\u1ebfn server th\u00ec b\u1ecf qua tr\u1ea1ng th\u00e1i TIME_WAIT c\u1ee7a connection , kh\u00f4ng \u0111\u1ebfm tr\u1ea1ng th\u00e1i n\u00e0y.<\/p>\n
\nCh\u1ec9 \u0111\u1ebfm c\u00e1c k\u1ebft n\u1ed1i \u1edf tr\u1ea1ng th\u00e1i SYN_RECV.<\/p>\n
\nCh\u1ec9 \u00e1p d\u1ee5ng connection tracking cho c\u00e1c k\u1ebft n\u1ed1i \u0111\u1ebfn port 80 v\u00e0 443.<\/p>\n
\nTrong 500s n\u1ebfu k\u1ebft n\u1ed1i \u0111\u1ebfn nhi\u1ec1u h\u01a1n 15 port kh\u00f4ng c\u00f3 tr\u00ean server s\u1ebd block IP \u0111\u00f3.<\/p>\n
\nGi\u1edbi h\u1ea1n range port s\u1ebd \u0111\u01b0\u1ee3c theo d\u00f5i.<\/p>\n
\nIP b\u1ecb block b\u1edfi Port Scan Tracking s\u1ebd l\u00e0 temp block ho\u1eb7c l\u00e0 permanent :
\nPS_PERMANENT = \u201c0\u201d : IP b\u1ecb temp block
\nPS_PERMANENT = \u201c1\u201d : IP b\u1ecb block permanent.<\/p>\n
\nN\u1ebfu PS_PERMANENT = \u201c0\u201d th\u00ec \u0111\u00e2y l\u00e0 th\u1eddi gian temp block c\u1ee7a m\u1ed9t IP.<\/p>\n