Drop Down MenusCSS Drop Down MenuPure CSS Dropdown Menu

Setup ConfigServer Security and Firewall ( CSF )

Step 1 - Installation of CFS dependencies

CSF script requires perl modules , it is a csf dependencies module
[root@nijam ~]# yum install perl-libwww-perl
Loaded plugins: auto-update-debuginfo, fastestmirror, protectbase, refresh-
: packagekit, security
Setting up Install Process
Loading mirror speeds from cached hostfile
* base: centos.excellmedia.net
* epel: epel.mirror.net.in
* epel-debuginfo: epel.mirror.net.in
...
...
...
Installed:
perl-libwww-perl.noarch 0:5.833-2.el6

Complete!

Step 2 - Install CSF

Please go to the "/usr/src/" directory and download CSF with wget command.
[root@nijam ~]#  cd /usr/src/
[root@nijam src]# wget http://www.configserver.com/free/csf.tgz
--2016-03-17 09:59:46-- http://www.configserver.com/free/csf.tgz
Resolving www.configserver.com... 109.70.137.78, 2a01:c0:2:22::3
Connecting to www.configserver.com|109.70.137.78|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
...
...
...

100%[======================================>] 688,544 364K/s in 1.8s

2016-03-17 09:59:49 (364 KB/s) - “csf.tgz” saved [688544/688544]

To remove existing Firewall :The combination APF (Advanced Policy Firewall) +BFD(Brute Force Detection) must be removed in order to avoid the conflicts. Run the following command to remove the existing Firewall.
[root@nijam src]# sh /usr/src/csf/remove_apf_bfd.sh
sh: /tmp/csf/remove_apf_bfd.sh: No such file or directory
Note:I have not installed APF & BFD in before that's why it say's no such file or directory

Extract the tar.gz file and go to the csf directory, then install it:
[root@nijam ~]# cd /usr/src
[root@nijam src]# tar -xzf csf.tgz
[root@nijam src]# cd csf
[root@nijam src]# sh install.sh
Selecting installer...

Running csf generic installer

Installing generic csf and lfd

Check we're running as root
...
...
...
mode of `/etc/init.d/lfd' retained as 0755 (rwxr-xr-x)
mode of `/etc/init.d/csf' retained as 0755 (rwxr-xr-x)
`/etc/csf/csfwebmin.tgz' -> `/usr/local/csf/csfwebmin.tgz'

Installation Completed
 
Now you should check that CSG really works on this server. Go to the "/usr/local/csf/bin/" directory, and run "csftest.pl".
# cd /usr/local/csf/bin/
# perl csftest.pl 
If you see the test results as shown below, then CSF is running without problems on your server:
RESULT: csf should function on this server
The commands above will install and starts CSF in testing mode. To disable Testing mode configure your CSF for TCP_IN, TCP_OUT, UDP_IN and UDP_OUT options. Make the following changes /etc/csf/csf.conf in the file.
# Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"

# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,53,80,110,113,443"

# Allow incoming UDP ports
UDP_IN = "20,21,53"

# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = "20,21,53,113,123"

Step 3 - Configure CSF on CentOS 7

Before stepping into the CSF configuration process, the first thing you must know is that "CentOS 7" has a default firewall application called "firewalld". You have to stop firewalld and remove it from the startup.
Stop the firewalld:
systemctl stop firewalld
Disable/Remove firewalld from the startup:
systemctl disable firewalld
Then go to the CSF Configuration directory "/etc/csf/" and edit the file "csf.conf" with the vim editor:
vim /etc/csf/csf.conf
Change line 11 "TESTING " to "0" for applying the firewall configuration.
TESTING = "0"
By default CSF allows incoming and outgoing traffic for the SSH standard port 22, if you use a different SSH port then please add your port to the configuration in line 139 "TCP_IN".
Now start CSF and LFD with systemctl command:
systemctl start csf
systemctl start lfd
And then enable the csf and lfd services to be started at boot time:
systemctl enable csf
systemctl enable lfd

Step 4 - CSF Configuration Files:

CSF Configuration Usage and Options
  • csf.conf : The main configuration file for controlling CSF.
  • csf.deny : The list of denied IPs and CIDR addresses on the firewall.
  • csf.allow : The list of allowed IPs and CIDR addresses on the firewall.
  • csf.*ignore : The list of various ignore files of users, IPs.
  • csf.ignore : The list of ignored IP?s and CIDR addresses on the firewall.
Commands and Options of CSF
  • Option -r is used to reload all rules.
  • Option -d is used to deny an IP address
  • Option -a is used to allow an IP address
# csf -d IPADDRESS
# csf -a IPADDRESS
# csf -r

 
Back to the csf configuration directory, and edit the csf.conf configuration file:
# vi /etc/csf/csf.conf
1. Don't Block IP addresses that are in the csf.allow files.
By default lfd also will block an IP under csf.allow files, so if you want that an IP in csf.allow files never get blocked by lfd, then please go to the line 272 and change "IGNORE_ALLOW" to "1". This is useful when you have a static IP at home or in office and want to ensure that your IP never gets blocked by the firewall on your internet server.
IGNORE_ALLOW = "1"
2. Allow Incoming and Outgoing ICMP.
Go to the line 152 for incoming ping/ICMP:
ICMP_IN = "1"
And line 159 for outgoing ping ping/ICMP:
ICMP_OUT = "1"
3. Block Certain Countries
CSF provide an option to allow and deny access by country using the CIDR (Country Code). Go to line 836 and add the country codes that shall be allowed and denied:
CC_DENY = "CN,UK,US"
CC_ALLOW = "ID,MY,DE"
4. Send the Su and SSH Login log by Email.
You can set an email address that is used by LFD to send an email about "SSH Login" events and users that run the "su" command, go to the line 1069 and change the value to "1".
LF_SSH_EMAIL_ALERT = "1"

...

LF_SU_EMAIL_ALERT = "1"
And then define the email address you want to use in line 588.
LF_ALERT_TO = "admin@tutorialdba.com"
If you want more tweaks, read the options in the "/etc/csf/csf.conf" configuration file.

 

Step 5 - CSF Commands

1. Start the firewall (enable the firewall rules):
csf -s
2. Flush/Stop the firewall rules.
csf -f
3. Reload the firewall rules.
csf -r
4. Allow an IP and add it to csf.allow.
# csf -a 192.168.1.109
Adding 192.168.1.109 to csf.allow and iptables ACCEPT...
ACCEPT  all opt -- in !lo out *  192.168.1.109  -> 0.0.0.0/0 
ACCEPT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.1.109
5. Remove and delete an IP from csf.allow.
# csf -ar 192.168.1.109

Removing rule...
ACCEPT  all opt -- in !lo out *  192.168.1.109  -> 0.0.0.0/0 
ACCEPT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.1.109
6. Deny an IP and add to csf.deny:
 # csf -d 192.168.1.109

Adding 192.168.1.109 to csf.deny and iptables DROP...
DROP  all opt -- in !lo out *  192.168.1.109  -> 0.0.0.0/0 
LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.1.109
7. Remove and delete an IP from csf.deny.
# csf -dr 192.168.1.109

Removing rule...
DROP  all opt -- in !lo out *  192.168.1.109  -> 0.0.0.0/0 
LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.1.109
8. Remove and Unblock all entries from csf.deny.
# csf -df
DROP  all opt -- in !lo out *  192.168.1.110  -> 0.0.0.0/0 
LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.1.110 
DROP  all opt -- in !lo out *  192.168.1.111  -> 0.0.0.0/0 
LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.1.111   
csf: all entries removed from csf.deny
9. Search for a pattern match on iptables e.g : IP, CIDR, Port Number
csf -g 192.168.1.110

10.Now you can see the list default rules of CSF with command:
csf -l
Step 6 - For Example Deny The Host
[root@nijam csf]# csf -d 192.168.7.101
Adding 192.168.7.101 to csf.deny and iptables DROP...
DROP all opt -- in !lo out * 192.168.7.101 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.7.101

[root@nijam csf]# csf -r
Flushing chain `INPUT'
Flushing chain `FORWARD'
...
...
....
LOCALOUTPUT all opt in * out !lo ::/0 -> ::/0
LOCALINPUT all opt in !lo out * ::/0 -> ::/0
 To list the rules:
[root@ijam csf]# csf -l
Chain INPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source des
.....
.....
.....
Chain DENYIN (1 references)
num pkts bytes target prot opt in out source destination

1 1 165 DROP all -- !lo * 192.168.7.101 0.0.0.0/0

...
...
...
 To verify try to connect the IP :
[root@nijam csf]# ping 192.168.7.101
PING 192.168.7.101 (192.168.7.101) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
Now add to allow list
[root@nijam csf]# csf -a 192.168.7.101
Removing 192.168.7.101 from csf.deny...
Removing rule...
DROP all opt -- in !lo out * 192.168.7.101 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.7.101
Adding 192.168.7.101 to csf.allow and iptables ACCEPT...
ACCEPT all opt -- in !lo out * 192.168.7.101 -> 0.0.0.0/0
ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.7.101
[root@ijam csf]# csf -r
Flushing chain `INPUT'
Flushing chain `FORWARD'
...
...
...
To list the rules again
[root@nijam csf]# csf -l
Chain INPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT tcp -- !lo * 8.8.8.8 0.0.0.0/0 tcp dpt:53

Chain ALLOWOUT (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * !lo 0.0.0.0/0 192.168.7.101

.....
To verify output
[root@nijam csf]# ping 192.168.7.101
PING 192.168.7.101 (192.168.7.101) 56(84) bytes of data.
64 bytes from 192.168.7.101: icmp_seq=1 ttl=128 time=1.40 ms
64 bytes from 192.168.7.101: icmp_seq=2 ttl=128 time=0.377 ms
64 bytes from 192.168.7.101: icmp_seq=3 ttl=128 time=0.321 ms
64 bytes from 192.168.7.101: icmp_seq=4 ttl=128 time=0.241 ms
64 bytes from 192.168.7.101: icmp_seq=5 ttl=128 time=0.341 ms
............

 Step 7 -To remove CSF Firewall :
Run the following script located under /etc/csf/uninstall.sh directory to remove CSF Firewall.
[root@nijam csf]# /etc/csf/uninstall.sh
Uninstalling csf and lfd...

Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
...
...
...
removed directory: `/var/lib/csf/ui'
removed directory: `/var/lib/csf'

...Done

 

Comments

Popular posts from this blog

PostgreSQL Pgbadger Installation On Linux

PostgreSQL Sequence

Postgresql maximum size

How to configure Replication Manager (repmgr) ?

PostgreSQL pgBadger