CSF firewall commonly known as Config server Security and Firewall has become one of the popular firewalls used for security purpose in the Linux Cpanel servers.
CSF has Login Failure Daemon (lfd) process that runs all the time and periodically (every X seconds) scans the latest log file entries for login attempts against your server that continually fail within a short period of time. Such attempts are often called "Brute-force attacks" and the daemon process responds very quickly to such patterns and blocks offending IP's quickly.
Installation Steps
1. Download the package from CSF website
wget <<path_of_tgz_file>>
2. Untar it
tar -zxf csf.tar.gz
3. Run the Install script.
sh /csf/install.sh
4. Remove APF or IPTables Firewall
If you have any existing IP tables firewall remove them using uninstall scripts located at /etc/csf. In this case i was running APF firewall and BFD in my server so i have to remove it.
sh /etc/csf/remove_apf_bfd.sh
5. Start the Firewall in Testing ModeStart the firewall with the following command.
csf -s
// start the firewall
csf -r
// restart the firewall
csf -f
// flush the rules or stop the firewall.
If you are running a VPS plan, then you might get the error like this// start the firewall
csf -r
// restart the firewall
csf -f
// flush the rules or stop the firewall.
"iptables LKM ip_tables missing so this firewall cannot function unless you enable MONOLITHIC_KERNEL in /etc/csf/csf.conf
Error: aborted, at line 156"
To fix:
Open the /etc/csf/csf.conf and look for a line MONOLITHIC_KERNEL = "0" and change to MONOLITHIC_KERNEL = "1"
Thats all! Now restart the firewall.
7. Specify which ports you want to allow.
It is very important to check the firewall on which ports to open and close all remaining port numbers. Open the /etc/csf/csf.conf and edit the following line with port numbers
# Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,953,993,995,2077,2078,2082,2083,2087"
# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,37,43,53,80,110,113,443,587,873,953,2087,2089,2703"
# Allow incoming UDP ports
UDP_IN = "20,21,53,953"
# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = "20,21,53,113,123,873,953,6277"
21 => FTPTCP_IN = "20,21,22,25,53,80,110,143,443,465,953,993,995,2077,2078,2082,2083,2087"
# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,37,43,53,80,110,113,443,587,873,953,2087,2089,2703"
# Allow incoming UDP ports
UDP_IN = "20,21,53,953"
# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = "20,21,53,113,123,873,953,6277"
22 => SSH
23 => Telnet
25 => SMTP Mail Transfer
43 => WHOIS service
53 => name server (DNS)
80 => HTTP (Web server)
110 => POP protocol (for email)
443 => HTTP Secure (SSL for https:// )
995 => POP over SSL/TLS
9999 => Urchin
3306 = > MysQL Server
2082 => CPANEL Default
2083 => CPANEL - Secure/SSL
2086 => CPANEL WHM
2087 => CPANEL WHM - Secure/SSL
2095 => cpanel webmail
2096 => cpanel webmail - secure/SSL
8443 => Plesk control panel
2222 => Direct admin control panel
1000 => Webmin Control Panel
19638 TCP Ensim Server Control Panel
For more information about commonly used port numbers refer to this article
6. Disable the Testing Mode and Start the Firewall
Remember by default the firewall is running in testing mode. You might want to disable the firewall running in testing mode.
nano /etc/csf/csf.conf
//Look for the first line and set testing mode to "0"
TESTING = "0"
//Now restart the firewall!
csf -r
//Look for the first line and set testing mode to "0"
TESTING = "0"
//Now restart the firewall!
csf -r
Config Files
/etc/csf/csf.conf CSF Firewall configuration file/etc/csf/csf.allow => Config file to allow IPs
/etc/csf/csf.deny => Config file to deny IPs
/etc/csf/ => Alert files with TXT extension are stored within this directory
Remove the CSF Firewall
Just run the uninstall script located at /etc/csf/ directory
sh /etc/csf/uninstall.sh
To look for open ports, just use the following commands in linux and observe which ports are open.
netstat -nap
OR
nmap fuser localhost
OR
nmap fuser localhost
No comments:
Post a Comment