Drop Down MenusCSS Drop Down MenuPure CSS Dropdown Menu

Free Hosting Firewall CSF

Installation
============
Installation is quite straightforward:

cd /usr/src
rm -fv csf.tgz
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

Next, test whether you have the required iptables modules:

perl /usr/local/csf/bin/csftest.pl
If you see the test results as shown below, then CSF is running without problems on your server:
Don't worry if you cannot run all the features, so long as the script doesn't
report any FATAL errors

You should not run any other iptables firewall configuration script. For
example, if you previously used APF+BFD you can remove the combination (which
you will need to do if you have them installed otherwise they will conflict):

sh /usr/local/csf/bin/remove_apf_bfd.sh

That's it. You can then configure csf and lfd by reading the documentation and
configuration files in /etc/csf/csf.conf and /etc/csf/readme.txt directly or
through the csf User Interface.

csf installation for cPanel and DirectAdmin is preconfigured to work on those
servers with all the standard ports open.

csf auto-configures your SSH port on installation where it's running on a non-
standard port.

csf auto-whitelists your connected IP address where possible on installation.

You should ensure that kernel logging daemon (klogd) is enabled. Typically, VPS
servers running RedHat/CentOS v5 have this disabled and you should check
/etc/init.d/syslog and make sure that any klogd lines are not commented out. If
you change the file, remember to restart syslog.

See the csf.conf and readme.txt files for more information.


Webmin Module Installation/Upgrade
==================================

To install or upgrade the csf webmin module:

Install csf as above
Install the csf webmin module in:
  Webmin > Webmin Configuration > Webmin Modules >
  From local file > /usr/local/csf/csfwebmin.tgz > Install Module


Uninstallation
==============
Removing csf and lfd is even more simple:

cd /etc/csf
sh uninstall.sh


GD::Graph
=========
This perl module is required for Statistical Graphs available from the csf UI.
It is dependent on graphical libraries being installed for your OS (e.g.
libgd, libpng, etc. which is beyond the scope of this document)

The perl module itself can be installed in a variety of ways, e.g.:

RedHat/CentOS/CloudLinux:
# yum install perl-GDGraph

Debian v6:
# apt-get install libgd-graph-perl

Direct from cpan.org:
# perl -MCPAN -e shell
cpan> install GD::Graph

Basic CSF Commands

1. Start the firewall (enable the firewall rules):
csf -s
2. Flush/Stop the firewall rules.
csf -f
3. Reload the firewall rules.
csf -r
4. Allow an IP and add it to csf.allow.
csf -a 192.168.1.109
Results:
Adding 192.168.1.109 to csf.allow and iptables ACCEPT... ACCEPT  all opt -- in !lo out *  192.168.1.109  -> 0.0.0.0/0   ACCEPT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.1.109
5. Remove and delete an IP from csf.allow.
csf -ar 192.168.1.109
Results:
Removing rule... ACCEPT  all opt -- in !lo out *  192.168.1.109  -> 0.0.0.0/0   ACCEPT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.1.109
6. Deny an IP and add to csf.deny:
csf -d 192.168.1.109
Results:
Adding 192.168.1.109 to csf.deny and iptables DROP... DROP  all opt -- in !lo out *  192.168.1.109  -> 0.0.0.0/0   LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.1.109
7. Remove and delete an IP from csf.deny.
csf -dr 192.168.1.109
Removing rule...Results:
DROP  all opt -- in !lo out *  192.168.1.109  -> 0.0.0.0/0   LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.1.109
8. Remove and Unblock all entries from csf.deny.
csf -df
Results:
DROP  all opt -- in !lo out *  192.168.1.110  -> 0.0.0.0/0   LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.1.110   DROP  all opt -- in !lo out *  192.168.1.111  -> 0.0.0.0/0   LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.1.111     csf: all entries removed from csf.deny
9. Search for a pattern match on iptables e.g : IP, CIDR, Port Number
csf -g 192.168.1.110

Advanced Configuration

Here are some tweaks about CSF, so you can configure as you need.
Back to the csf configuration directory, and edit the csf.conf configuration file:
cd /etc/csf/ vim csf.conf
1. Don't Block IP addresses that are in the csf.allow files.
By default lfd also will block an IP under csf.allow files, so if you want that an IP in csf.allow files never get blocked by lfd, then please go to the line 272 and change "IGNORE_ALLOW" to "1". This is useful when you have a static IP at home or in office and want to ensure that your IP never gets blocked by the firewall on your internet server.
IGNORE_ALLOW = "1"
2. Allow Incoming and Outgoing ICMP.
Go to the line 152 for incoming ping/ICMP:
ICMP_IN = "1"
And line 159 for outgoing ping ping/ICMP:
ICMP_OUT = "1"
3. Block Certain Countrys
CSF provide an option to allow and deny access by country using the CIDR (Country Code). Go to line 836 and add the country codes that shall be allowed and denied:
CC_DENY = "CN,UK,US" CC_ALLOW = "ID,MY,DE"
4. Send the Su and SSH Login log by Email.
You can set an email address that is used by LFD to send an email about "SSH Login" events and users that run the "su" command, go to the line 1069 and change the value to "1".
LF_SSH_EMAIL_ALERT = "1" ... LF_SU_EMAIL_ALERT = "1"
And then define the email address you want to use in line 588.
LF_ALERT_TO = "mymail@mydomain.tld"
If you want more tweaks, read the options in the "/etc/csf/csf.conf" configuration file.

Comments

Popular posts from this blog

VMWARE WORKSTATION 3,4,5,6,7,8,9,10,11,12,14,15...etc LICENSE KEYS COLLECTION

How to find the server is whether standby (slave) or primary(master) in Postgresql replication ?

Oracle to Postgresql migration

PostgreSQL Enterprise Manager - PEM Monitoring Tools

7 Steps to configure BDR replication in postgresql