Install and configure csf firewall in linux
The ConfigServer Security & Firewall is a popular open source Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application, compatible with most Linux servers. CSF basically configure iptables entry in easy manner which automatically create iptables entry for you with small configuration. You don’t need to remind a big iptable query command for allowing or blocking any ip address or port number , just configure it in this csf firewall it will automatically create for you.
CSF can be fully configured to block/restrict ports you don’t want open. CSF also includes the Login Failure Daemon (LFD), which will scan log files and monitor failed login attempts, such as login attempts for FTP and E-Mail accounts, and it will block the IP according to the rules you have setup. CSF also offers Connection Limiting, Real Time Block Lists and Port Scan tracking and much more.
CSF can be easily managed from GUI, which is fully compatible with DirectAdmin, CPanel, and WebMin/Virtualmin.
To avoid any conflicts in operation it is important to remove your current firewall if any like ufw or else. After completing the uninstallation routine continue with the CSF installation procedure outlined below.
Here we will install csf firewall using source code script which require you to install some dependencies.
Follow these steps to Install and configure csf firewall in linux servers.
Begin by installing the required dependencies for the CSF Firewall:
yum install perl-libwww-perl
Download the CSF archive using wget, unpack the archive by issuing the TAR command and finally install CSF by starting the ./install.sh setup script.
wget http://www.configserver.com/free/csf.tgz tar zxvf csf.tgz cd csf ./install.sh
Firewall is now installed. Now check iptables entry if it is working with csf firewall using below command.
This test is to double check that the correct iptables modules are installed. The test can be invoked by issuing the command below. If not all modules are installed, you need to work on getting them installed.
$ /etc/csf/csftest.pl Testing ip_tables/iptable_filter...OK Testing ipt_LOG...OK Testing ipt_multiport/xt_multiport...OK Testing ipt_REJECT...OK Testing ipt_state/xt_state...OK Testing ipt_limit/xt_limit...OK Testing ipt_recent...OK Testing xt_connlimit...OK Testing ipt_owner/xt_owner...OK Testing iptable_nat/ipt_REDIRECT...OK Testing iptable_nat/ipt_DNAT...OK RESULT: csf should function on this server
The firewall will work if no fatal errors are reported.
CSF Firewall can be configured from various config files. CSF by default install under location /etc/csf in RED Hat Enterprise Linux /CentOs Distros.
The configuration files include:
- csf.conf – the main configuration file, it has helpful comments explaining what each option does
- csf.allow – a list of IP’s and CIDR addresses that should always be allowed through the firewall
- csf.deny – a list of IP’s and CIDR addresses that should never be allowed through the firewall
- csf.ignore – a list of IP’s and CIDR addresses that lfd should ignore and not block if detected
- csf.*ignore – various ignore files that list files, users, IP’s that lfd should ignore. See each file for their specific purpose
After modifying any of above files under /etc/csf folder you have to restart csf to have them take effect. If you use the command line options to add or deny IP addresses, then csf automatically does this for you.
Enabling CSF Firewall
By default csf firewall is configured in test state in which it is not affected to the server or not add any entry in iptables until it enable the csf firewall.
CSF Firewall can be enable by edit csf configuration file below
And change TESTING = “1” to TESTING = “0” to fully enabled csf firewall.
TESTING = "0"
TCP_IN/TCP_OUT and UDP_IN/UDP_OUT
To allow selected port access to and from server below configuration is used: Where you can add ip with comman seperated and for a series colon “:” is used .
# Allow incoming TCP ports TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,2222,35000:35999" # Allow outgoing TCP ports TCP_OUT = "20,21,22,25,53,80,110,113,443" # Allow incoming UDP ports UDP_IN = "20,21,53" # Allow outgoing UDP ports UDP_OUT = "20,21,53,113,123"
As FTP requires a random high port number if the client is in PORT mode. When using ProFTP you may need to add a port range into your
/etc/proftpd.conf file to allow ftp connections, eg: PassivePorts 15000 15999 and then open that port range in your CSF firewall. Ranges can be defined in CSF by using a colon eg: 1
ICMP_IN and ICMP_OUT
Allowing ping is usually a good option for diagnostic purposes.
ICMP_IN to 1 to allow incoming ping requests to your server. Set to 0 refuses such requests.ICMP packets is used to debug the server if is in up condition.. You can configure
ICMP_IN_LIMIT to sets the number of ICMP (ping) requests allowed from one IP address within a specified amount of time. This used to stop icmp flooding for block our server There is usually no need to change the default value (1/s)
ICMP_OUT to 1 to allow outgoing ping from your server. Set to 0 refuses such requests.
ICMP_OUT_LIMIT Sets the number of outgoing ICMP (ping) requests within a specified amount of time. There is usually no need to change the default value (0)
Port Flood Protection
This section protects from DoS(denial of service) attacks. In which you may specify the amount of allowed connections on each port within time period of your liking. This is recommended option for prevent from an attacker for forcing your service down like apache.
PORTFLOOD is a comma separated list of:
port;protocol;hit count*;interval seconds
So, a setting of
PORTFLOOD = "22;tcp;5;300,80;tcp;20;5" means:
- 1. If more than 5 connections to tcp port 22 within 300 seconds, then block that IP address from port 22 for at least 300 seconds after the last packet is seen, i.e. there must be a “quiet” period of 300 seconds before the block is lifted
- 2. If more than 20 connections to tcp port 80 within 5 seconds, then block that IP address from port 80 for at least 5 seconds after the last packet is seen, i.e. there must be a “quiet” period of 5 seconds before the block is lifted
Connection limit protection CONNLIMIT
This feature can be used to limit the number of concurrent active connections from an IP address to each port. When properly configured, this may prevent abuses on the server, such as DoS attacks.
CONNLIMIT is a comma separated list of:
So, a setting of
CONNLIMIT = "22;5,80;20" means:
- Only allow up to 5 concurrent new connections to port 22 per IP address
- Only allow up to 20 concurrent new connections to port 80 per IP address
SYNFLOOD, SYNFLOOD_RATE and SYNFLOOD_BURST
Offers protection against SYN flood attacks. This slows down the initialization of every connection, so you should enable this only if you know that your server is under attack.
SYNFLOOD = "0" SYNFLOOD_RATE = "100/s" SYNFLOOD_BURST = "150"
Enabling this feature allows CSF to send a more informative message to the client when a block is applied. This feature has both pros and cons. On one hand, enabling it provides more information to the client, and thus may cause less frustration for instance in case of failed logins. On the other hand, this provides more information, which might make it easier for an attacker to attack your server.
/etc/csf.deny you can add more complex port and ip filters using the following format.
Protocol|incoming/outgoing connection|source/destination port|source/destination ip|uid/gid of source packet
tcp/udp : EITHER tcp OR udp OR icmp protocol in/out : EITHER incoming OR outgoing connections s/d=port : EITHER source OR destination port number (or ICMP type) (use a _ for a port range, e.g. 2000_3000) s/d=ip : EITHER source OR destination IP address u/g=UID : EITHER UID or GID of source packet, implies outgoing connections, s/d=IP value is ignored
# TCP connections inbound to port 3306 from IP 184.108.40.206 tcp|in|d=3306|s=220.127.116.11 # TCP connections outbound to port 22 on IP 18.104.22.168 tcp|out|d=22|d=22.214.171.124 Note| If omitted, the default protocol is set to "tcp", the default connection direction is set to "in", so| # TCP connections inbound to port 22 from IP 126.96.36.199 d=22|s=188.8.131.52 # TCP connections outbound to port 80 from UID 99 tcp|out|d=80||u=99 # ICMP connections inbound for type ping from 184.108.40.206 icmp|in|d=ping|s=220.127.116.11 # TCP connections inbound to port 22 from Dynamic DNS address # www.configserver.com (for use in csf.dyndns only) tcp|in|d=22|s=www.configserver.com
Login Failure Daemon (LFD)
To complement the ConfigServer Firewall, a daemon process that runs all the time and periodically scans the latest log file entries for login attempts against your server that continually fail within a short period of time. Such attempts are often called “Brute-force attacks” and the daemon process responds very quickly to such patterns and blocks offending IP’s quickly.
lfd can monitor the most commonly abused protocols, SSHD, POP3, IMAP, FTP and HTTP password protection. Unlike other applications, lfd is a daemon process that monitors logs continuously and so can react within seconds of detecting such attempts. It also monitors across protocols, so if attempts are made on different protocols in a short space of time, all those attempts will be counted against the threshold.
You can specify an email address to report errors from the Login Failure Daemon.
LF_ALERT_TO = "" LF_ALERT_FROM = "" LF_ALERT_SMTP = ""
4.2 Login Tracking
It keeps track of POP3 and IMAP or any services which described, logins and limits them to X connections per hour per account per IP address. It uses iptables to block offenders to the appropriate protocol port only and flushes them every hour and starts counting logins a fresh. All of these blocks are temporary and can be cleared manually by restarting csf.
There are two settings, one of POP3 and one for IMAP logins. It’s generally not a good idea to track IMAP logins as many clients login each time to perform a protocol transaction (there’s no need for them to repeatedly login, but you can’t avoid bad client programming!). So, if you do have a need to have some limit to IMAP logins, it is probably best to set the login limit quite high.
4.3 Process Tracking
This option enables tracking of user and nobody processes and examines them for suspicious executable or open network ports. Its purpose is to identify potential exploit processes that are running on the server, even if they are obfuscated to appear as system services. If a suspicious process is found an alert email is sent with relevant information. Processes may be excluded from process tracking by editing the csf.pignore file. For example, to disable Process tracking for Spamassassin and ClamAV enter the following in the csf.pignore file. This file can also be edited from the CSF gui:
exe:/usr/bin/freshclam exe:/usr/bin/spamc exe:/usr/bin/spamd cmd:spamd child
Directory Watching enables lfd to check /tmp and /dev/shm and other pertinent directories for suspicious files, i.e. script exploits.
Using the Command Line
Here are the some of the most common commands you will be using:
- csf -d IPADDRESS
- will deny an IP.
- csf -a IPADDRESS
- will allow an IP.
- csf -r
- will reload all rules.
- csf -u
- Update CSF
- csf -e
- Starts the csf service
- service csf restart
- will restart the csf service
For a complete overview of all command line options enter
csf -h on the command line and you will receive a list with all available options:
$ csf --help csf: v5.17 (DirectAdmin) ConfigServer Security & Firewall (c)2006-2013, Way to the Web Limited (http://www.configserver.com) Usage: /usr/sbin/csf [option] [value] Option Meaning -h, --help Show this message -l, --status List/Show iptables configuration -l6, --status6 List/Show ip6tables configuration -s, --start Start firewall rules -f, --stop Flush/Stop firewall rules (Note: lfd may restart csf) -r, --restart Restart firewall rules -q, --startq Quick restart (csf restarted by lfd) -sf, --startf Force CLI restart regardless of LF_QUICKSTART setting -a, --add ip Allow an IP and add to /etc/csf.allow -ar, --addrm ip Remove an IP from /etc/csf.allow and delete rule -d, --deny ip Deny an IP and add to /etc/csf.deny -dr, --denyrm ip Unblock an IP and remove from /etc/csf.deny -df, --denyf Remove and unblock all entries in /etc/csf.deny -g, --grep ip Search the iptables rules for an IP match (incl. CIDR) -t, --temp Displays the current list of temp IP entries and their TTL -tr, --temprm ip Remove an IPs from the temp IP ban and allow list -td, --tempdeny ip ttl [-p port] [-d direction] Add an IP to the temp IP ban list. ttl is how long to blocks for (default:seconds, can use one suffix of h/m/d). Optional port. Optional direction of block can be one of: in, out or inout (default:in) -ta, --tempallow ip ttl [-p port] [-d direction] Add an IP to the temp IP allow list (default:inout) -tf, --tempf Flush all IPs from the temp IP entries -cp, --cping PING all members in an lfd Cluster -cd, --cdeny ip Deny an IP in a Cluster and add to /etc/csf.deny -ca, --callow ip Allow an IP in a Cluster and add to /etc/csf.allow -cr, --crm ip Unblock an IP in a Cluster and remove from /etc/csf.deny -cc, --cconfig [name] [value] Change configuration option [name] to [value] in a Cluster -cf, --cfile [file] Send [file] in a Cluster to /etc/csf/ -crs, --crestart Cluster restart csf and lfd -w, --watch ip Log SYN packets for an IP across iptables chains -m, --mail [addr] Display Server Check in HTML or email to [addr] if present -lr, --logrun Initiate Log Scanner report via lfd -c, --check Check for updates to csf but do not upgrade -u, --update Check for updates to csf and upgrade if available -uf Force an update of csf -x, --disable Disable csf and lfd -e, --enable Enable csf and lfd if previously disabled -v, --version Show csf version
On cPanel servers:
cd /etc/csf sh uninstall.sh
On DirectAdmin servers:
cd /etc/csf sh uninstall.directadmin.sh
On generic linux servers:
cd /etc/csf sh uninstall.generic.sh