CSF Firewall . - LinuxHunt
202
 

CSF Firewall .

CSF Firewall .

CSF Firewall .

CSF stands for “Config Server Firewall “. This firewall is used in linux server for security. It is a free and advanced firewall for most Linux distributions and Linux based VPS. In addition to the basic functionality of a firewall – filtering packets – CSF includes other security features, such as login/intrusion/flood detections. CSF includes UI integration for cPanel, DirectAdmin and Webmin, but this tutorial only covers the command line usage. CSF is able to recognize many attacks, such as port scans, SYN floods, and login brute force attacks on many services. It is configured to temporarily block clients who are detected to be attacking the cloud server.

Features

Config Server Firewall offers a wide range of protections for your VPS.

Login authentication failure daemon:

CSF checks the logs for failed login attempts at regular time interval, and is able to recognize most unauthorized attempts to gain access to your cloud server. You can define the desired action CSF takes and after how many attempts in the configuration file.

The following applications are supported by this feature:

  • Courier imap, Dovecot, uw-imap, Kerio
  • openSSH
  • cPanel, WHM, Webmail (cPanel servers only)
  • Pure-ftpd, vsftpd, Proftpd
  • Password protected web pages (htpasswd)
  • Mod_security failures (v1 and v2)
  • Suhosin failures
  • Exim SMTP AUTH

In addition to these, you are able define your own login files with regular expression matching. This can be helpful if you have an application which logs failed logins, but does block the user after specific number of attempts.

Enabling this feature allows CSF to send a more informative message to the client when a block is applied. This feature has both pros and cons. On one hand, enabling it provides more information to the client, and thus may cause less frustration for instance in case of failed logins. On the other hand, this provides more information, which might make it easier for an attacker to attack your VPS.

This setting provides protection against port flood attacks, such as denial of service (DoS) attacks. You may specify the amount of allowed connections on each port within time period of your liking. Enabling this feature is recommended, as it may possibly prevent an attacker forcing your services down. You should pay attention to what limits you set, as too restrictive settings will drop connections from normal clients. Then again, too permissive settings may allow an attacker to succeed in a flood attack.

Port knocking

Port knocking allows clients to establish connections a server with no ports open. The server allows clients connect to the main ports only after a successful port knock sequence. You may find this useful if you offer services which are available to only limited audience.

Port/IP address redirection

CSF can be configured to redirect connections to an IP/port to another IP/port. Note: After redirection, the source address of the client will be the server’s IP address. This is not an equivalent to network address translation (NAT).

Config Server Firewall / CSF is firewall application suite for Linux servers. CSF is also a Login/Intrusion Detection for applications like SSH, SMTP, IMAP, Pop3, the “su” command and many more. CSF can e.g. detect when someone is logging into the server via SSH and alarms you when this user tries to use the “su” command on the server to get higher privileges. It also checks for login authentication failures on mail servers (Exim, IMAP, Dovecot, uw-imap, Kerio), OpenSSH servers, Ftp servers (Pure-ftpd, vsftpd, Proftpd), cPanel server to replace software like fail2ban. CSF is a good security solution for hosting servers and can be integrated into the user interface (UI) of WHM/cPanel, DirectAdmin, and Webmin.

Installing ConfigServer Firewall:–

Step 1 – Installation of CFS dependencies

In Centos

yum install wget vim perl-libwww-perl.noarch perl-Time-HiRes

In Ubuntu

sudo apt-get  install wget vim perl-libwww-perl.noarch perl-Time-HiRes

Step 2 – Install CSF

cd /usr/src/

wget https://download.configserver.com/csf.tgz

Extract the tar.gz file and go to the csf directory, then install it:

                tar -xzf csf.tgz

                cd csf

                sh install.sh

Now you should check that CSG really works on this server. Go to the “/usr/local/csf/bin/” directory, and run “csftest.pl”.

cd /usr/local/csf/bin/

perl csftest.plcd /usr/local/csf/bin/

perl csftest.pl

RESULT: csf should function on this server

Step 3 – Configure CSF on CentOS 7

Note :- Before stepping into the CSF configuration process, the first thing you must know is that “CentOS 7” has a default firewall application called “firewalld”. You have to stop firewalld and remove it from the startup.

systemctl stop firewalld

systemctl disable firewalld

Then go to the CSF Configuration directory “/etc/csf/” and edit the file “csf.conf” with the vim editor:

                cd /etc/csf/

                vim csf.conf

Change mode  “TESTING “ to “0” for applying the firewall configuration.

                TESTING = “0”

By default CSF allows incoming and outgoing traffic for the SSH standard port 22, if you use a different SSH port then please add your port to the configuration in line 139 “TCP_IN”.

Now start CSF and LFD with systemctl command:

systemctl start csf

systemctl start lfd

And then enable the csf and lfd services to be started at boot time:

systemctl enable csf

systemctl enable lfd

Now you can see the list default rules of CSF with command:

csf –l

Step 4 – Basic CSF Commands

CSF with command:

  1. To start (enable) the CSF:-

                csf –e

  1. To Stop the CSF :-

                csf –x

  1. To Reload the CSF :-

                csf –r

  • Allow an IP and add it to csf.allow

          csf -a 192.168.1.109

and also add directly in csf.allow file . path ( etc/csf/csf.allow)

Remove and delete an IP from csf.allow.

            csf -ar 192.168.1.109

  • Block an IP and add it to csf.deny

          csf -d 192.168.1.109

and also add directly in csf.deny file . path ( etc/csf/csf.deny)

Remove and delete an IP from csf.deny.

            csf -ar 192.168.1.109

Remove and Unblock all entries from csf.deny.

                    csf –df

Search for a pattern match on iptables e.g : IP, CIDR, Port Number

            csf -g 192.168.1.110

(Note:- If you are already using a server having services like “localhost , tomcat, mailing server  and API “ contains specific port number ,  you have to add these port in csf.conf file at  “TCP_in” & “TCP_out” , Then restart csf .otherwise csf  block these services. )

4 Comments

Post A Comment

Get notified automatically by email when there is new content!
For Questions or Comments, Contact us: editor @ linuxhunt.com

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

LinuxHunt will use the information you provide on this form to be in touch with you and to provide updates.