24 Jan CSF Firewall .
CSF Firewall .
CSF stands for “Config Server Firewall “. This firewall is used in linux server for security. It is a free and advanced firewall for most Linux distributions and Linux based VPS. In addition to the basic functionality of a firewall – filtering packets – CSF includes other security features, such as login/intrusion/flood detections. CSF includes UI integration for cPanel, DirectAdmin and Webmin, but this tutorial only covers the command line usage. CSF is able to recognize many attacks, such as port scans, SYN floods, and login brute force attacks on many services. It is configured to temporarily block clients who are detected to be attacking the cloud server.
Config Server Firewall offers a wide range of protections for your VPS.
Login authentication failure daemon:
CSF checks the logs for failed login attempts at regular time interval, and is able to recognize most unauthorized attempts to gain access to your cloud server. You can define the desired action CSF takes and after how many attempts in the configuration file.
The following applications are supported by this feature:
- Courier imap, Dovecot, uw-imap, Kerio
- cPanel, WHM, Webmail (cPanel servers only)
- Pure-ftpd, vsftpd, Proftpd
- Password protected web pages (htpasswd)
- Mod_security failures (v1 and v2)
- Suhosin failures
- Exim SMTP AUTH
In addition to these, you are able define your own login files with regular expression matching. This can be helpful if you have an application which logs failed logins, but does block the user after specific number of attempts.
Enabling this feature allows CSF to send a more informative message to the client when a block is applied. This feature has both pros and cons. On one hand, enabling it provides more information to the client, and thus may cause less frustration for instance in case of failed logins. On the other hand, this provides more information, which might make it easier for an attacker to attack your VPS.
This setting provides protection against port flood attacks, such as denial of service (DoS) attacks. You may specify the amount of allowed connections on each port within time period of your liking. Enabling this feature is recommended, as it may possibly prevent an attacker forcing your services down. You should pay attention to what limits you set, as too restrictive settings will drop connections from normal clients. Then again, too permissive settings may allow an attacker to succeed in a flood attack.
Port knocking allows clients to establish connections a server with no ports open. The server allows clients connect to the main ports only after a successful port knock sequence. You may find this useful if you offer services which are available to only limited audience.
Port/IP address redirection
CSF can be configured to redirect connections to an IP/port to another IP/port. Note: After redirection, the source address of the client will be the server’s IP address. This is not an equivalent to network address translation (NAT).
Config Server Firewall / CSF is firewall application suite for Linux servers. CSF is also a Login/Intrusion Detection for applications like SSH, SMTP, IMAP, Pop3, the “su” command and many more. CSF can e.g. detect when someone is logging into the server via SSH and alarms you when this user tries to use the “su” command on the server to get higher privileges. It also checks for login authentication failures on mail servers (Exim, IMAP, Dovecot, uw-imap, Kerio), OpenSSH servers, Ftp servers (Pure-ftpd, vsftpd, Proftpd), cPanel server to replace software like fail2ban. CSF is a good security solution for hosting servers and can be integrated into the user interface (UI) of WHM/cPanel, DirectAdmin, and Webmin.
Installing ConfigServer Firewall:–
Step 1 – Installation of CFS dependencies
yum install wget vim perl-libwww-perl.noarch perl-Time-HiRes
sudo apt-get install wget vim perl-libwww-perl.noarch perl-Time-HiRes
Step 2 – Install CSF
Extract the tar.gz file and go to the csf directory, then install it:
tar -xzf csf.tgz
Now you should check that CSG really works on this server. Go to the “/usr/local/csf/bin/” directory, and run “csftest.pl”.
perl csftest.plcd /usr/local/csf/bin/
RESULT: csf should function on this server
Step 3 – Configure CSF on CentOS 7
Note :- Before stepping into the CSF configuration process, the first thing you must know is that “CentOS 7” has a default firewall application called “firewalld”. You have to stop firewalld and remove it from the startup.
systemctl stop firewalld
systemctl disable firewalld
Then go to the CSF Configuration directory “/etc/csf/” and edit the file “csf.conf” with the vim editor:
Change mode “TESTING “ to “0” for applying the firewall configuration.
TESTING = “0”
By default CSF allows incoming and outgoing traffic for the SSH standard port 22, if you use a different SSH port then please add your port to the configuration in line 139 “TCP_IN”.
Now start CSF and LFD with systemctl command:
systemctl start csf
systemctl start lfd
And then enable the csf and lfd services to be started at boot time:
systemctl enable csf
systemctl enable lfd
Now you can see the list default rules of CSF with command:
Step 4 – Basic CSF Commands
CSF with command:
- To start (enable) the CSF:-
- To Stop the CSF :-
- To Reload the CSF :-
- Allow an IP and add it to csf.allow
csf -a 192.168.1.109
and also add directly in csf.allow file . path ( etc/csf/csf.allow)
Remove and delete an IP from csf.allow.
csf -ar 192.168.1.109
- Block an IP and add it to csf.deny
csf -d 192.168.1.109
and also add directly in csf.deny file . path ( etc/csf/csf.deny)
Remove and delete an IP from csf.deny.
csf -ar 192.168.1.109
Remove and Unblock all entries from csf.deny.
Search for a pattern match on iptables e.g : IP, CIDR, Port Number
csf -g 192.168.1.110
(Note:- If you are already using a server having services like “localhost , tomcat, mailing server and API “ contains specific port number , you have to add these port in csf.conf file at “TCP_in” & “TCP_out” , Then restart csf .otherwise csf block these services. )