Drop Down MenusCSS Drop Down MenuPure CSS Dropdown Menu

Setup ConfigServer Security and Firewall ( CSF )

-

Step 1 - Installation of CFS dependencies

CSF script requires perl modules , it is a csf dependencies module
[root@nijam ~]# yum install perl-libwww-perl
Loaded plugins: auto-update-debuginfo, fastestmirror, protectbase, refresh-
: packagekit, security
Setting up Install Process
Loading mirror speeds from cached hostfile
* base: centos.excellmedia.net
* epel: epel.mirror.net.in
* epel-debuginfo: epel.mirror.net.in
...
...
...
Installed:
perl-libwww-perl.noarch 0:5.833-2.el6

Complete!

Step 2 - Install CSF

Please go to the "/usr/src/" directory and download CSF with wget command.
[root@nijam ~]#  cd /usr/src/
[root@nijam src]# wget http://www.configserver.com/free/csf.tgz
--2016-03-17 09:59:46-- http://www.configserver.com/free/csf.tgz
Resolving www.configserver.com... 109.70.137.78, 2a01:c0:2:22::3
Connecting to www.configserver.com|109.70.137.78|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
...
...
...

100%[======================================>] 688,544 364K/s in 1.8s

2016-03-17 09:59:49 (364 KB/s) - “csf.tgz” saved [688544/688544]

To remove existing Firewall :The combination APF (Advanced Policy Firewall) +BFD(Brute Force Detection) must be removed in order to avoid the conflicts. Run the following command to remove the existing Firewall.
[root@nijam src]# sh /usr/src/csf/remove_apf_bfd.sh
sh: /tmp/csf/remove_apf_bfd.sh: No such file or directory
Note:I have not installed APF & BFD in before that's why it say's no such file or directory

Extract the tar.gz file and go to the csf directory, then install it:
[root@nijam ~]# cd /usr/src
[root@nijam src]# tar -xzf csf.tgz
[root@nijam src]# cd csf
[root@nijam src]# sh install.sh
Selecting installer...

Running csf generic installer

Installing generic csf and lfd

Check we're running as root
...
...
...
mode of `/etc/init.d/lfd' retained as 0755 (rwxr-xr-x)
mode of `/etc/init.d/csf' retained as 0755 (rwxr-xr-x)
`/etc/csf/csfwebmin.tgz' -> `/usr/local/csf/csfwebmin.tgz'

Installation Completed
 
Now you should check that CSG really works on this server. Go to the "/usr/local/csf/bin/" directory, and run "csftest.pl".
# cd /usr/local/csf/bin/
# perl csftest.pl
If you see the test results as shown below, then CSF is running without problems on your server:
RESULT: csf should function on this server

The commands above will install and starts CSF in testing mode. To disable Testing mode configure your CSF for TCP_IN, TCP_OUT, UDP_IN and UDP_OUT options. Make the following changes /etc/csf/csf.conf in the file.
# Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"

# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,53,80,110,113,443"

# Allow incoming UDP ports
UDP_IN = "20,21,53"

# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = "20,21,53,113,123"

Step 3 - Configure CSF on CentOS 7

Before stepping into the CSF configuration process, the first thing you must know is that "CentOS 7" has a default firewall application called "firewalld". You have to stop firewalld and remove it from the startup.
Stop the firewalld:
systemctl stop firewalld
Disable/Remove firewalld from the startup:
systemctl disable firewalld
Then go to the CSF Configuration directory "/etc/csf/" and edit the file "csf.conf" with the vim editor:
vim /etc/csf/csf.conf
Change line 11 "TESTING " to "0" for applying the firewall configuration.
TESTING = "0"
By default CSF allows incoming and outgoing traffic for the SSH standard port 22, if you use a different SSH port then please add your port to the configuration in line 139 "TCP_IN".
Now start CSF and LFD with systemctl command:
systemctl start csf
systemctl start lfd
And then enable the csf and lfd services to be started at boot time:
systemctl enable csf
systemctl enable lfd

Step 4 - CSF Configuration Files:

CSF Configuration Usage and Options
  • csf.conf : The main configuration file for controlling CSF.
  • csf.deny : The list of denied IPs and CIDR addresses on the firewall.
  • csf.allow : The list of allowed IPs and CIDR addresses on the firewall.
  • csf.*ignore : The list of various ignore files of users, IPs.
  • csf.ignore : The list of ignored IP?s and CIDR addresses on the firewall.
Commands and Options of CSF
  • Option -r is used to reload all rules.
  • Option -d is used to deny an IP address
  • Option -a is used to allow an IP address
# csf -d IPADDRESS
# csf -a IPADDRESS
# csf -r
 
Back to the csf configuration directory, and edit the csf.conf configuration file:
# vi /etc/csf/csf.conf
1. Don't Block IP addresses that are in the csf.allow files.
By default lfd also will block an IP under csf.allow files, so if you want that an IP in csf.allow files never get blocked by lfd, then please go to the line 272 and change "IGNORE_ALLOW" to "1". This is useful when you have a static IP at home or in office and want to ensure that your IP never gets blocked by the firewall on your internet server.
IGNORE_ALLOW = "1"
2. Allow Incoming and Outgoing ICMP.
Go to the line 152 for incoming ping/ICMP:
ICMP_IN = "1"
And line 159 for outgoing ping ping/ICMP:
ICMP_OUT = "1"
3. Block Certain Countries
CSF provide an option to allow and deny access by country using the CIDR (Country Code). Go to line 836 and add the country codes that shall be allowed and denied:
CC_DENY = "CN,UK,US"
CC_ALLOW = "ID,MY,DE"
4. Send the Su and SSH Login log by Email.
You can set an email address that is used by LFD to send an email about "SSH Login" events and users that run the "su" command, go to the line 1069 and change the value to "1".
LF_SSH_EMAIL_ALERT = "1"

...

LF_SU_EMAIL_ALERT = "1"
And then define the email address you want to use in line 588.
LF_ALERT_TO = "admin@tutorialdba.com"
If you want more tweaks, read the options in the "/etc/csf/csf.conf" configuration file.

 

Step 5 - CSF Commands

1. Start the firewall (enable the firewall rules):
csf -s
2. Flush/Stop the firewall rules.
csf -f
3. Reload the firewall rules.
csf -r
4. Allow an IP and add it to csf.allow.

# csf -a 192.168.1.109
Adding 192.168.1.109 to csf.allow and iptables ACCEPT...
ACCEPT  all opt -- in !lo out *  192.168.1.109  -> 0.0.0.0/0 
ACCEPT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.1.109
5. Remove and delete an IP from csf.allow.
# csf -ar 192.168.1.109

Removing rule...
ACCEPT  all opt -- in !lo out *  192.168.1.109  -> 0.0.0.0/0 
ACCEPT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.1.109
6. Deny an IP and add to csf.deny:
 # csf -d 192.168.1.109

Adding 192.168.1.109 to csf.deny and iptables DROP...
DROP  all opt -- in !lo out *  192.168.1.109  -> 0.0.0.0/0 
LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.1.109
7. Remove and delete an IP from csf.deny.
# csf -dr 192.168.1.109

Removing rule...
DROP  all opt -- in !lo out *  192.168.1.109  -> 0.0.0.0/0 
LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.1.109
8. Remove and Unblock all entries from csf.deny.
# csf -df
DROP  all opt -- in !lo out *  192.168.1.110  -> 0.0.0.0/0 
LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.1.110 
DROP  all opt -- in !lo out *  192.168.1.111  -> 0.0.0.0/0 
LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.1.111   
csf: all entries removed from csf.deny
9. Search for a pattern match on iptables e.g : IP, CIDR, Port Number
csf -g 192.168.1.110

10.Now you can see the list default rules of CSF with command:
csf -l
Step 6 - For Example Deny The Host
[root@nijam csf]# csf -d 192.168.7.101
Adding 192.168.7.101 to csf.deny and iptables DROP...
DROP all opt -- in !lo out * 192.168.7.101 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.7.101

[root@nijam csf]# csf -r
Flushing chain `INPUT'
Flushing chain `FORWARD'
...
...
....
LOCALOUTPUT all opt in * out !lo ::/0 -> ::/0
LOCALINPUT all opt in !lo out * ::/0 -> ::/0
 To list the rules:
[root@ijam csf]# csf -l
Chain INPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source des
.....
.....
.....
Chain DENYIN (1 references)
num pkts bytes target prot opt in out source destination

1 1 165 DROP all -- !lo * 192.168.7.101 0.0.0.0/0

...
...
...
 To verify try to connect the IP :
[root@nijam csf]# ping 192.168.7.101
PING 192.168.7.101 (192.168.7.101) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
Now add to allow list
[root@nijam csf]# csf -a 192.168.7.101
Removing 192.168.7.101 from csf.deny...
Removing rule...
DROP all opt -- in !lo out * 192.168.7.101 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.7.101
Adding 192.168.7.101 to csf.allow and iptables ACCEPT...
ACCEPT all opt -- in !lo out * 192.168.7.101 -> 0.0.0.0/0
ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.7.101
[root@ijam csf]# csf -r
Flushing chain `INPUT'
Flushing chain `FORWARD'
...
...
...
To list the rules again 
[root@nijam csf]# csf -l
Chain INPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT tcp -- !lo * 8.8.8.8 0.0.0.0/0 tcp dpt:53

Chain ALLOWOUT (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * !lo 0.0.0.0/0 192.168.7.101

.....
To verify output
[root@nijam csf]# ping 192.168.7.101
PING 192.168.7.101 (192.168.7.101) 56(84) bytes of data.
64 bytes from 192.168.7.101: icmp_seq=1 ttl=128 time=1.40 ms
64 bytes from 192.168.7.101: icmp_seq=2 ttl=128 time=0.377 ms
64 bytes from 192.168.7.101: icmp_seq=3 ttl=128 time=0.321 ms
64 bytes from 192.168.7.101: icmp_seq=4 ttl=128 time=0.241 ms
64 bytes from 192.168.7.101: icmp_seq=5 ttl=128 time=0.341 ms
............

 Step 7 -To remove CSF Firewall :
Run the following script located under /etc/csf/uninstall.sh directory to remove CSF Firewall.
[root@nijam csf]# /etc/csf/uninstall.sh
Uninstalling csf and lfd...

Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
...
...
...
removed directory: `/var/lib/csf/ui'
removed directory: `/var/lib/csf'

...Done


Comments

Post a Comment

Popular posts from this blog

7 Steps to configure BDR replication in postgresql

-
Image
 The  BDR  (Bi-Directional Replication) project adds multi-master replication to PostgreSQL 9.4.  Postgres-BDR has a lower impact on the masters(s) than trigger-based replication solutions. There is no write-amplification, as it does not require triggers to write to queue tables in order to replicate writes.   Here We are using  postgres version 9.4.12 and bdr version 1.0.2. for configuring  multi master replication . Simply Following 7 steps you can configure the multi master replication in postgresql. To download the bdr in below link. .   https://github.com/2ndQuadrant/bdr/archive/bdr-pg/REL9_4_12-1.tar.gz $ tar -xzvf REL9_4_12-1.tar.gz $ wget https://github.com/2ndQuadrant/bdr/archive/bdr-plugin/1.0.2.tar.gz $ tar -xzvf 1.0.2.tar.gz 1. To install BDR. $ cd ~/bdr-bdr-pg-REL9_4_12-1 $ ./configure --prefix=/usr/lib/postgresql/9.4 --enable-debug --with-openssl $ make -j4 -s install-world $ cd ~/bdr-bdr-plugin-1.0.2 $ PATH=/usr/lib/postgresql/9.4/bin:"$PATH" ./c
Read more

How to find the server is whether standby (slave) or primary(master) in Postgresql replication ?

-
Method 1 You can check the mode of the server using "pg_controldata". [pgsql@test~]$ pg_controldata /usr/local/pgsql/data84/ Database cluster state: in archive recovery --> This is Standby Database Database cluster state: in production --> This is Production Database [Master] Method 2 You can use pg_is_in_recovery() which returns True if recovery is still in progress(so the server is running in standby mode or slave) postgres=# select pg_is_in_recovery(); pg_is_in_recovery ------------------- t (1 row) If Return    false   so the server is running in primary mode or master postgres=# select pg_is_in_recovery(); pg_is_in_recovery ------------------- f (1 row)
Read more

How to Get Table Size, Database Size, Indexes Size, schema Size, Tablespace Size, column Size in PostgreSQL Database

-
In this post, I am sharing few important function for finding the size of database, table and index in PostgreSQL. Finding object size in postgresql database is very important and common. Is it very useful to know the exact size occupied by the object at the tablespace. The object size in the following scripts is in GB. The scripts have been formatted to work very easily with PUTTY SQL Editor. 1. Checking table size excluding table dependency: SELECT pg_size_pretty(pg_relation_size('mhrordhu_shk.mut_kharedi_audit')); pg_size_pretty ---------------- 238 MB (1 row) 2. Checking table size including table dependency: SELECT pg_size_pretty(pg_total_relation_size('mhrordhu_shk.mut_kharedi_audit')); pg_size_pretty ---------------- 268 MB (1 row) 3. Finding individual postgresql database size SELECT pg_size_pretty(pg_database_size('db_name')); 4. Finding individual table size for postgresql database -including dependency index: SELECT pg_size_pretty(pg_total_rel
Read more

PostgreSQL Introduction

-
PostgreSQL tutorial provides basic and advanced concepts of SQL. Our PostgreSQL tutorial is designed for beginners and professionals. PostgreSQL is an opens-source object-relational database management system (ORDBMS). Our PostgreSQL tutorial includes all topics of PostgreSQL language such as create database, create table, drop database, drop table, select database, select table, insert record, update record, delete record, triggers, functions, procedures, cursors etc. There are also given PostgreSQL interview questions and quizzes to help you better understand the PostgreSQL language. Prerequisite: Before you start doing practice with various types of examples given in this reference, I'm making an assumption that you are already aware about what is database, especially RDBMS and what is a computer programming language. you must have the basic knowledge of SQL Problem: We assure that you will not find any problem in this PostgreSQL tutorial. But if there is any mistake
Read more

Postgres Streaming Replication Configuration

-
Primary - Existing Test Server: ======= Hostname: nijam-1 IP Address: 53.99.198.11 Secodary - New Test Server ======== Hostname: nijam-2 IP Address: 53.99.198.12 ===================================================== Step 1. stop the slave server /optt/10.5/bin/pg_ctl -D /DATA stop Step 2. move the slave data directory to backup location: mv /DATA/* /tmp/backup Step 3. change below parameter on master postgresql.conf & pg_hba.conf files . listen_addresses = 'localhost,53.99.198.11' wal_level = replica # minimal, replica, or logical archive_mode = on archive_command = 'cp %p /ARCHIVES/%f' max_wal_senders = 10 wal_keep_segments = 25 On pg_hba.conf: host replication postgres 53.99.198.12/24 trust host replication postgres 53.99.198.11/24 trust Step 4. Restart the master server: /optt/10.5/bin/pg_ctl -D /DATA restart Step 5. taking consistancy backup: psql -c "sele
Read more