The default configuration of cPFence is highly recommended for the majority of use cases. Upon initial scanning of your installation, cPFence will automatically apply the recommended settings based on your server specifications. However, if you require customization of cPFence to suit your specific needs, please refer to the following guidelines.
Configuration File Location
The cPFence configuration file is located at:
/opt/cpfence/config.conf
Applying Changes
IMPORTANT: After making any changes to the configuration file, you must restart cPFence to apply the updates. Use the following command:
cpfence --restart
Alternatively, you can use the command line for changes. Use `cpfence --help` for more information.
---
Configuration Parameters
License Key
Enter your license key to activate cPFence.
licensekey="cPFence-XXXXXXXXXXXXXXXX"
DDoS Protection Limits
You can change the number of connections allowed per IP for the cPFence DDoS Protection module by changing this
To totally disable the DDos Protection simply add a huge number ( e.g., 5000 )
To apply the changes you must restart cPFence by running the command "cpfence --restart"
A value around 100 or 120 is recommended (If exception is needed you can run "cpfence --add-whitelist-ip <IP>" to permanently skip DDos protection for this ip)
CONNECTIONS_LIMIT="100"
Daily Rootkit Scans
Enable or disable Daily scan to detect and remove rootkits, infected hidden processes, kernel modules, and system entries, safeguarding your system from cyber threats. Highly recommended.
ROOTKIT_DAILY="on"
IPDB Protection
Toggle cPFence IPDB protection. Possible options on / off , Default is on
CPF_IPDB="on"
Malware Real-Time Protection
Toggle real-time protection against malware. Possible options on / off , Default is on
CPF_MRTP="on"
Proactive Scan
Proactive scan is an option to determine how fast to detect malware. Possible options on / off.
"On" is the recommended default setting for all systems with the paid version (not available in the free version).
PROACTIVE_SCAN="on"
Auto Quarantine
Auto Quarantine automatically isolates detected threats. Default: off. Recommended: on.
It's advised to run a scan without quarantine first using 'cpfence --full-scan' to review and whitelist safe files.
AUTO_QUARANTINE="off"
EMAILS_QUARANTINE="off"
Email Spam Portection
Enables or disables spam protection, allowing cPFence to treat spam as a threat and quarantine it. Default: off.
EMAIL_SPAM_PROTECTION="off"
cPFence WordPress Integrity Check Configuration
# This section configures the WordPress Integrity Check functionality in cPFence.
# Enabling this feature helps make your WordPress installations bulletproof by
# detecting unauthorized changes, unexpected files, or checksum mismatches in
# WordPress core files, safeguarding your websites from malicious activity.
INTEGRITY_CHECK
Description: Enable or disable the integrity check functionality.
Default: "on"
Example:
INTEGRITY_CHECK="on"
AUTO_FILE_ACTION
Description: Automatically quarantine unexpected files.
Default: "off"
Options:
"on"
: Moves unexpected files to/opt/cpfence/quarantined
for review."off"
: Lists unexpected files for manual review and action.
Example:
AUTO_FILE_ACTION="off"
CHECK_FREQUENCY
Description: Set how often the integrity check runs.
Default: "daily"
Options:
"daily"
: Runs the integrity check once per day."hourly"
: Runs the integrity check once per hour.
Example:
CHECK_FREQUENCY="daily"
Exclusion Lists
- Exclude Specific Websites:
Add the paths of websites to be excluded from the integrity check in the file:
/opt/cpfence/user-config/cpfowl/exclude_integrity_check_sites.txt
- Exclude Specific Files:
Add filenames to be excluded from detection or quarantine in the file:
/opt/cpfence/user-config/cpfowl/exclude_integrity_check_files.txt
Notes
- Ensure the exclusion lists are kept up to date with trusted paths and filenames to minimize false positives.
- Use automatic file handling with caution to avoid quarantining essential files unintentionally.
WAF Module
Enable or Disable OLS/LS latest cPFence WAF Module on OpenliteSpeed/LiteSpeed Servers. Possible options on / off , Default is on if OLS/LS is detected.
Enhance Updates won't disable the cPFence WAF OLS module. cPFence ensures the module remains active and keeps whitelisting rules synchronized.
OLS_WAF="on"
Owl Monitoring System
Owl monitoring system with no CPU/RAM footprint. Highly recommended. Possible options on / off , Default is on
CPFENCE_OWL="on"
The cPFence Owl - Blacklisted Users
This feature allows you to manage and optimize MySQL server resources by automatically terminating long-running queries from specified users. This is particularly useful for preventing poorly coded scripts or queries from monopolizing server resources. You can blacklist specific MySQL usernames or entire accounts by adding them to the BLACKLISTED_USERS
variable in the configuration file. Additionally, you can set a maximum execution duration (MAX_EXECUTION_DURATION
), defining how long a query can run before it is terminated. This feature helps maintain optimal server performance and prevents resource hogging by misbehaving scripts.
Example Configurations :
==============================================================================
# cPFence Owl - Blacklisted Users
# ==============================================================================
# This section configures the MySQL query termination functions within
# the cPFence Owl module. The functions are designed to terminate long-running
# MySQL queries for users specified in the blacklist, helping to prevent
# poorly coded scripts and queries from monopolizing MySQL server resources.
#
# To identify the current MySQL usernames on your server, execute the following command as root:
# mysql -e "SELECT user, COUNT(*) AS login_count FROM mysql.user GROUP BY user ORDER BY login_count DESC;"
#
# Add the usernames to the BLACKLISTED_USERS variable below, separated by |, e.g., BLACKLISTED_USERS="username1|username2"
# You can either add a specific database username to blacklist a single database,
# or use the account username to blacklist all databases associated with that account.
# Specify the maximum allowed duration (in seconds) for a query or script to be considered "long":
BLACKLISTED_USERS="Username1_|Username2_|Username3_"
MAX_EXECUTION_DURATION="30"
Country Blocking and Whitelisting
To manage country blocking and whitelisting, it's recommended to use the command line:
- Block a country:
cpfence --blacklist-country <ISOCODE>
- Whitelist a country:
cpfence --whitelist-country <ISOCODE>
Check ISO codes at: ISO Country Codes.
If you prefer to manually set blocked and whitelisted countries in the configuration file (Useful for mass deploying cPFence configuration on several servers at once ) You can simply add the required whitelisted or blacklisted countries and then restart cPFence :
Example Configuration :
# BLOCKED COUNTRIES : ( DO NOT DELETE THIS LINE! - Your blocked countries should go below this line )
BLOCKED_COUNTRY=cn
BLOCKED_COUNTRY=ru
# WHITELISTED COUNTRIES : ( DO NOT DELETE THIS LINE! - Your whitelisted countries should go below this line )
WHITELISTED_COUNTRY=us
WHITELISTED_COUNTRY=fr
To apply changes, restart cPFence:
cpfence --restart
Warning : Whitelisted countries will skip all IPDB/DDoS protections.
Email Notifications
Configure email notifications for system alerts.
- Specify the recipient email address for notifications.
EMAIL_RECIPIENT="[email protected]"
- Set the CPU load average threshold to trigger notification emails.
The default is 80% of the current detected CPU load, automatically set on cPFence initial installation.
CPULoadAverageThreshold="3"
- Set the threshold percentages for memory, disk usage, and disk I/O to trigger notification emails.
It is recommended to use the default value of 80%.
MEMORY_THRESHOLD="80"
DISK_USAGE_THRESHOLD="80"
DISK_IO_THRESHOLD="80"
- Define the duration in seconds that the resource usage must remain consistently high before sending notification emails.
The default value is 300 seconds (5 minutes).
time_diff_wait="300"
- Define the interval in seconds between sending subsequent notification emails.
The default value is 3600 seconds (1 hour). This prevents excessive notification emails.
email_send_interval="3600"
---
Tip: You can use the cPFence CLI to easily manage configurations , please use the command for more info :
cpfence --help