Configuring cPFence

The default configuration of cPFence is highly recommended for the majority of use cases. Upon initial scanning of your installation, cPFence will automatically apply the recommended settings based on your server specifications. However, if you require customization of cPFence to suit your specific needs, please refer to the following guidelines.

cPFence now offers a powerful, browser-based WebUI for managing your cluster. The WebUI is fully mobile-friendly, allowing you to adjust cPFence settings from any device—including your phone or tablet. You can apply changes per server by selecting the target server from the sidebar dropdown.

 

 

 

  1. Open the cPFence WebUI on your Main Control Panel server.
  2. In the sidebar, use the Switch Server dropdown to select the server you want to configure.
  3. Go to System Settings and click Adjust Settings (One Server) under Configuration Management.
  4. Click Load Current Settings to view the server’s current configuration.
  5. Update the settings values you wish to change (see below for an explanation of each one).
  6. Click Save & Restart to apply your changes.

Your updated settings will take effect immediately.

 

Configuration Parameters

Note: the following fields are read-only in the WebUI > System Settings page

  • localkey – internal license key, auto-generated and not editable, leave blank.
  • ENHANCE_API_KEY – set via Tools & Utilities > ApiMachine Bulk Tools > Set Enhance API Key
  • BLOCKED_COUNTRY – managed via Tools & Utilities > Country Blacklisting / Whitelisting
  • WHITELISTED_COUNTRY – managed via Tools & Utilities > Country Blacklisting / Whitelisting
  1. licensekey – Paste the license string you received from cPFence.
  2. localkey – Leave blank; cPFence fills this automatically when it checks the licence.
  3. ENHANCE_API_KEY – set via WebUI > Tools & Utilities > ApiMachine Bulk Tools > Set Enhance API Key. Or use cpfence --set-enhance-api-key to store the encrypted Enhance key.
  4. CPFENCE_WEBUI – Set on to enable the central WebUI on the main control panel only.
  5. CONNECTIONS_LIMIT – Maximum concurrent connections per IP before DDoS blocking starts (100 – 120 is typical).
  6. UNDER_ATTACK – Switch to on during an active DDoS to enable extra defences. Or use cpfence --under-attack-on .
  7. ROOTKIT_DAILY – Keep on for an automatic rootkit scan each day.
  8. CPF_IPDB – Toggles IPDB blocking; recommended value is on.
  9. CPF_MRTP – Turns real-time malware scanning on or off.
  10. PROACTIVE_SCAN – When on, cPFence scans files faster. Turn it off if you are running a low-performance server (HDD, few CPU cores, etc.).
  11. AUTO_QUARANTINE – If on, infected files are moved automatically to /opt/cpfence/quarantined/.
  12. EMAILS_QUARANTINE – Quarantines suspicious email messages when set to on.
  13. QUARANTINE_DAYS – Defines how many days quarantined files/logs are kept before being automatically cleared. Default: 60.
  14. EMAIL_SPAM_PROTECTION – Treats spam as a threat and quarantines it.
  15. CPFENCE_SPAM_AUTOSHIELD – Enables server-wide smart spam filtering for mail, read more.
  16. SPAM_AUTOSHIELD_LIMITS  – Turn on or off Spam AutoShield Outbound Limits Module.
  17. MAX_SMTP_MSGS_PER_HOUR – Maximum SMTP Messages per Hour before getting blocked.
  18. MAX_WEB_MSGS_PER_HOUR – Maximum Website Messages per Hour before getting blocked.
  19. INTEGRITY_CHECK – Runs a WordPress core checksum audit.
  20. AUTO_FILE_ACTION – With on, unexpected WP files are quarantined automatically, read more.
  21. CHECK_FREQUENCY – Choose daily or hourly for integrity checks.
  22. cPFence_wp_autoshield – Master switch that enables or disables WP AutoShield daily cron.
  23. cPFence_autoupdate_wp_sites_list – Keeps the WordPress site list updated before each cron job run.
  24. autoshield_updates – When on, applies WP core, theme, and plugin updates automatically.
  25. autoshield_vuln_report – Sends a weekly email report of WP vulnerabilities.
  26. autoshield_disable_wp_cron – Replaces WP-Cron with a system cron for better performance.
  27. autoshield_set_wp_secure_keys – Set WP salts daily for every site only if they are not found.
  28. autoshield_disable_wp_file_edit – Disables the built-in theme and plugin editors.
  29. autoshield_disable_wp_pingbacks – Blocks pingbacks to reduce spam and reflection attacks.
  30. autoshield_set_wp_permissions – Applies recommended file and directory permissions to WordPress.
  31. autoshield_wp_hardening – Locks critical WP files such as wp-config.php and uploads.
  32. autoshield_disable_wp_xmlrpc – Turns off XML-RPC unless it is truly required.
  33. autoshield_wp_limit_login – Adds rate-limiting to wp-login.php.
  34. autoshield_wp_captcha – Adds a simple math CAPTCHA to WP login and registration forms.
  35. autoshield_wp_idle_logout – Logs out idle WP users after 120 minutes.
  36. autoshield_rename_wp_admin – Renames the default “admin” username to a safer value and sends you a report by email.
  37. autoshield_disable_xss_in_posts – Strips risky scripts and iframes from WP posts.
  38. autoshield_plugin_blacklist_removal – Deletes plugins found in your blacklist file. (/var/log/cpfenceav/blacklisted-wp-plugins.txt)
  39. autoshield_custom_mu_plugin – Deploys the MU plugin stored in /var/log/cpfenceav/mu-plugin.
  40. autoshield_cache_plugin_removal – Removes most cache plugins except LiteSpeed Cache plugin.
  41. autoshield_bulk_wp_db_scan – Scans all WP databases for malware each day and sends you an alert if any malware is found.
  42. autoshield_bulk_wp_db_optimize – Optimises all WP databases daily to improve performance and reduce overhead.
  43. autoshield_security_headers – Adds standard security headers across all WP sites, read more.
  44. autoshield_force_plugin_bundle – Forces the installation of mandatory plugins listed in /var/log/cpfenceav/wp-plugin-bundle.txt.
  45. autoshield_clear_litespeed_cache – Clears LiteSpeed cache for every WP site daily.
  46. autoshield_disable_ls_cache_login_page – Disables login pages ls cache for every WP site daily. (Recommended when using cPFence WAF Captcha)
  47. CPF_BACKUP_ENABLED – Enables the built-in WordPress backup system.
  48. CPF_REMOTE_BACKUP_ENABLED – Sends WordPress backups to a remote server via SSH.
  49. CPF_BACKUP_SSH_PORT – SSH port used by the remote backup target.
  50. CPF_BACKUP_RETENTION – Number of backup snapshots kept per site.
  51. CPF_BACKUP_SCHEDULE – Comma-separated weekdays (0 = Sun , Example: "1,4" for Monday and Thursday) or daily for backups.
  52. CPF_WAF – Controls the web-application firewall module.
  53. CPFENCE_OWL – Activates lightweight resource and process monitoring.
  54. OWL_HISTORY - Stores Owl metrics (~30 days). Disable to stop storage; on main CP servers this also hides charts.
  55. BLACKLISTED_USERS – Pipe-separated MySQL usernames whose long queries should be killed. (Deprecated; use OWL_AUTO_MySQL instead)
  56. MAX_EXECUTION_DURATION – Time in seconds before a MySQL query is terminated. (A value of 30 is recommended.)
  57. OWL_AUTO_MySQL – Turns automatic slow-query management on or off, read more.
  58. EXCLUDED_USERS_AUTO_MySQL – Users exempt from AutoMySQL, separated by |.
  59. BLOCKED_COUNTRY / WHITELISTED_COUNTRYISO-alpha-2 codes of countries to block or allow, managed via Tools & Utilities > Country Blacklisting / Whitelisting.
  60. EMAIL_RECIPIENT – Address that receives notification emails from cPFence.
  61. daily_ip_reputation_check – Runs a daily reputation scan on server IPs.
  62. CPFENCE_MONITORPRO – Enables external uptime and keyword monitoring, Read more.
  63. CPFENCE_LOGSPOT – Permits end-users to view site traffic logs, Read more.
  64. CPFENCE_LOGSIZE_LIMIT – Maximum log size per site (in MB) for LogSpot module.
  65. WEBSITE_ID_LOGIN – Allows LogSpot access using a numeric site ID, read more.
  66. SEND_CPF_UPDATE_NOTIFICATION – Emails you whenever cPFence upgrades itself.
  67. SEND_ROOT_LOGIN_ALERT – Emails you when a root SSH login occurs. Whitelisted IPs are excluded.
  68. SLACK_NOTIFICATIONS – Sends alerts to Slack if a webhook URL is set, read more.
  69. SLACK_WEBHOOK_URL – Incoming webhook used for Slack alerts.
  70. CPULoadAverageThreshold – Load average that triggers a resource-usage email alert.
  71. MEMORY_THRESHOLD – Percent of RAM usage that triggers alerts.
  72. DISK_USAGE_THRESHOLD – Disk usage percentage that triggers alerts.
  73. DISK_IO_THRESHOLD – Disk I/O percentage that triggers alerts.
  74. INODE_THRESHOLD – Inode usage percentage that triggers alerts.
  75. time_diff_wait – Seconds usage must stay high before cPFence sends an alert.
  76. email_send_interval – Minimum seconds between successive alert emails.

Configuration File Location


The cPFence configuration file is located at:

/opt/cpfence/config.conf


Applying Changes


IMPORTANT: After making any changes to the configuration file, you must restart cPFence to apply the updates. Use the following command:

cpfence --restart



Alternatively, you can use the command line for changes. Use `cpfence --help` for more information.



  • Configuring, configuration, cpfence configuration
  • 32 Usuários acharam útil
Esta resposta lhe foi útil?

Artigos Relacionados

How to Whitelist Your Enhance Cluster's IPs in cPFence (Important)

Important: It is essential to whitelist your IP addresses to ensure optimal operation and...

What is the Recommended cPFence Settings for Email, Backup, and DNS Servers?

If you're running DNS, backup, or email servers, optimizing cPFence settings can help ensure...

How to Manage cPFence License?

When cPFence is initially installed, the license should be added automatically. If you encounter...

Common Issues with cPFence License Failing

Note: If you are using a Per-Website License, the most common fix for license issues is to sync...

Master cPFence: Your Go-To Cheat Sheet

The cPFence command-line interface (CLI) is designed to simplify server security management with...