Linux Tweaks

Install and configure csf firewall in linux

by · December 1, 2014

The ConfigServer Security & Firewall is a popular open source Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application, compatible with most Linux servers. CSF basically configure iptables entry in easy manner which automatically create iptables entry for you with small configuration. You don’t need to remind a big iptable query command for allowing or blocking any ip address or port number , just configure it in this csf firewall it will automatically create for you.

CSF can be fully configured to block/restrict ports you don’t want open. CSF also includes the Login Failure Daemon (LFD), which will scan log files and monitor failed login attempts, such as login attempts for FTP and E-Mail accounts, and it will block the IP according to the rules you have setup. CSF also offers Connection Limiting, Real Time Block Lists and Port Scan tracking and much more.

CSF can be easily managed from GUI, which is fully compatible with DirectAdmin, CPanel, and WebMin/Virtualmin.

To avoid any conflicts in operation it is important to remove your current firewall if any like ufw or else. After completing the uninstallation routine continue with the CSF installation procedure outlined below.

Here we will install csf firewall using source code script which require you to install some dependencies.

Follow these steps to Install and configure csf firewall in linux servers.

Installation

Begin by installing the required dependencies for the CSF Firewall:

yum install perl-libwww-perl

Download the CSF archive using wget, unpack the archive by issuing the TAR command and finally install CSF by starting the ./install.sh setup script.

wget  http://www.configserver.com/free/csf.tgz
tar zxvf csf.tgz
cd  csf
./install.sh

Firewall is now installed. Now check iptables entry if it is working with csf firewall using below command.

This test is to double check that the correct iptables modules are installed. The test can be invoked by issuing the command below. If not all modules are installed, you need to work on getting them installed.

$ /etc/csf/csftest.pl
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK
 
RESULT: csf should function on this server

The firewall will work if no fatal errors are reported.

Configuration

CSF Firewall can be configured from various config files. CSF by default install under location /etc/csf  in RED Hat Enterprise Linux /CentOs Distros.

The configuration files include:

  • csf.conf – the main configuration file, it has helpful comments explaining what each option does
  • csf.allow – a list of IP’s and CIDR addresses that should always be allowed through the firewall
  • csf.deny – a list of IP’s and CIDR addresses that should never be allowed through the firewall
  • csf.ignore – a list of IP’s and CIDR addresses that lfd should ignore and not block if detected
  • csf.*ignore – various ignore files that list files, users, IP’s that lfd should ignore. See each file for their specific purpose

After modifying any of above files under /etc/csf folder you have to restart csf to have them take effect. If you use the command line options to add or deny IP addresses, then csf automatically does this for you.

Enabling CSF Firewall

By default csf firewall is configured in test state in which it is not affected to the server or not add any entry in iptables until it enable the csf firewall.

CSF Firewall can be enable by edit csf configuration file below

vim /etc/csf/csf.conf

And change TESTING = “1” to TESTING = “0” to fully enabled csf firewall.

TESTING = "0"

TCP_IN/TCP_OUT and UDP_IN/UDP_OUT

To allow selected port access to and from server below configuration is used: Where you can add ip with comman seperated and for a series colon “:” is used .

# Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,2222,35000:35999"
 
# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,53,80,110,113,443"
 
# Allow incoming UDP ports
UDP_IN = "20,21,53"
 
# Allow outgoing UDP ports
UDP_OUT = "20,21,53,113,123"

As  FTP requires a random high port number if the client is in PORT mode. When using ProFTP you may need to add a port range into your /etc/proftpd.conf file to allow ftp connections, eg: PassivePorts 15000 15999 and then open that port range in your CSF firewall. Ranges can be defined in CSF by using a colon eg: 15000:15999

ICMP_IN and ICMP_OUT

Allowing ping is usually a good option for diagnostic purposes.

Set ICMP_IN to 1 to allow incoming ping requests to your server. Set to 0 refuses such requests.ICMP packets is used to debug the server if is in up condition.. You can configure ICMP_IN_LIMIT to sets the number of ICMP (ping) requests allowed from one IP address within a specified amount of time. This used to stop icmp flooding for block our server  There is usually no need to change the default value (1/s)

Set ICMP_OUT to 1 to allow outgoing ping from your server. Set to 0 refuses such requests. ICMP_OUT_LIMIT Sets the number of outgoing ICMP (ping) requests within a specified amount of time. There is usually no need to change the default value (0)

Port Flood Protection

This section protects from DoS(denial of service) attacks. In which you may specify the amount of allowed connections on each port within time period of your liking. This is recommended option for prevent from an attacker for forcing your service down like apache.

PORTFLOOD is a comma separated list of:

port;protocol;hit count*;interval seconds

So, a setting of PORTFLOOD = "22;tcp;5;300,80;tcp;20;5" means:

  1. 1. If more than 5 connections to tcp port 22 within 300 seconds, then block that IP address from port 22 for at least 300 seconds after the last packet is seen, i.e. there must be a “quiet” period of 300 seconds before the block is lifted
  2. 2. If more than 20 connections to tcp port 80 within 5 seconds, then block that IP address from port 80 for at least 5 seconds after the last packet is seen, i.e. there must be a “quiet” period of 5 seconds before the block is lifted

Connection limit protection CONNLIMIT

This feature can be used to limit the number of concurrent active connections from an IP address to each port. When properly configured, this may prevent abuses on the server, such as DoS attacks.

CONNLIMIT is a comma separated list of:

port;limit

So, a setting of CONNLIMIT = "22;5,80;20" means:

  1. Only allow up to 5 concurrent new connections to port 22 per IP address
  2. Only allow up to 20 concurrent new connections to port 80 per IP address

SYNFLOOD, SYNFLOOD_RATE and SYNFLOOD_BURST

Offers protection against SYN flood attacks. This slows down the initialization of every connection, so you should enable this only if you know that your server is under attack.

SYNFLOOD = "0"
SYNFLOOD_RATE = "100/s"
SYNFLOOD_BURST = "150"

Messenger Service

Enabling this feature allows CSF to send a more informative message to the client when a block is applied. This feature has both pros and cons. On one hand, enabling it provides more information to the client, and thus may cause less frustration for instance in case of failed logins. On the other hand, this provides more information, which might make it easier for an attacker to attack your server.

Allow/Deny Filters

In /etc/csf.allow and /etc/csf.deny you can add more complex port and ip filters using the following format.

Protocol|incoming/outgoing connection|source/destination port|source/destination ip|uid/gid of source packet

Broken down:

tcp/udp  : EITHER tcp OR udp OR icmp protocol
in/out   : EITHER incoming OR outgoing connections
s/d=port : EITHER source OR destination port number (or ICMP type)
           (use a _ for a port range, e.g. 2000_3000)
s/d=ip   : EITHER source OR destination IP address
u/g=UID  : EITHER UID or GID of source packet, implies outgoing connections,
           s/d=IP value is ignored

Examples:

# TCP connections inbound to port 3306 from IP 11.22.33.44
tcp|in|d=3306|s=11.22.33.44

# TCP connections outbound to port 22 on IP 11.22.33.44
tcp|out|d=22|d=11.22.33.44

Note| If omitted, the default protocol is set to "tcp", the default connection
direction is set to "in", so|

# TCP connections inbound to port 22 from IP 44.33.22.11
d=22|s=44.33.22.11

# TCP connections outbound to port 80 from UID 99
tcp|out|d=80||u=99

# ICMP connections inbound for type ping from 44.33.22.11
icmp|in|d=ping|s=44.33.22.11

# TCP connections inbound to port 22 from Dynamic DNS address
# www.configserver.com (for use in csf.dyndns only)
tcp|in|d=22|s=www.configserver.com

Login Failure Daemon (LFD)

To complement the ConfigServer Firewall, a daemon process that runs all the time and periodically scans the latest log file entries for login attempts against your server that continually fail within a short period of time. Such attempts are often called “Brute-force attacks” and the daemon process responds very quickly to such patterns and blocks offending IP’s quickly.

lfd can monitor the most commonly abused protocols, SSHD, POP3, IMAP, FTP and HTTP password protection. Unlike other applications, lfd is a daemon process that monitors logs continuously and so can react within seconds of detecting such attempts. It also monitors across protocols, so if attempts are made on different protocols in a short space of time, all those attempts will be counted against the threshold.

E-Mail Alerts

You can specify an email address to report errors from the Login Failure Daemon.

LF_ALERT_TO = ""
LF_ALERT_FROM = ""
LF_ALERT_SMTP = ""

4.2 Login Tracking

It keeps track of POP3 and IMAP or any services which described, logins and limits them to X connections per hour per account per IP address. It uses iptables to block offenders to the appropriate protocol port only and flushes them every hour and starts counting logins a fresh. All of these blocks are temporary and can be cleared manually by restarting csf.

There are two settings, one of POP3 and one for IMAP logins. It’s generally not a good idea to track IMAP logins as many clients login each time to perform a protocol transaction (there’s no need for them to repeatedly login, but you can’t avoid bad client programming!). So, if you do have a need to have some limit to IMAP logins, it is probably best to set the login limit quite high.

4.3 Process Tracking

This option enables tracking of user and nobody processes and examines them for suspicious executable or open network ports. Its purpose is to identify potential exploit processes that are running on the server, even if they are obfuscated to appear as system services. If a suspicious process is found an alert email is sent with relevant information. Processes may be excluded from process tracking by editing the csf.pignore file. For example, to disable Process tracking for Spamassassin and ClamAV enter the following in the csf.pignore file. This file can also be edited from the CSF gui:

exe:/usr/bin/freshclam
exe:/usr/bin/spamc
exe:/usr/bin/spamd
cmd:spamd child

 

Directory Watching

Directory Watching enables lfd to check /tmp and /dev/shm and other pertinent directories for suspicious files, i.e. script exploits.

Using the Command Line

Here are the some of the most common commands you will be using:

csf -d IPADDRESS
will deny an IP.
csf -a IPADDRESS
will allow an IP.
csf -r
will reload all rules.
csf -u
Update CSF
csf -e
Starts the csf service
service csf restart
will restart the csf service

For a complete overview of all command line options enter csf or csf -h on the command line and you will receive a list with all available options:

$ csf --help
csf: v5.17 (DirectAdmin)
 
ConfigServer Security & Firewall
(c)2006-2013, Way to the Web Limited (http://www.configserver.com)
 
Usage: /usr/sbin/csf [option] [value]
 
Option              Meaning
-h, --help          Show this message
-l, --status        List/Show iptables configuration
-l6, --status6      List/Show ip6tables configuration
-s, --start         Start firewall rules
-f, --stop          Flush/Stop firewall rules (Note: lfd may restart csf)
-r, --restart       Restart firewall rules
-q, --startq        Quick restart (csf restarted by lfd)
-sf, --startf       Force CLI restart regardless of LF_QUICKSTART setting
-a, --add ip        Allow an IP and add to /etc/csf.allow
-ar, --addrm ip     Remove an IP from /etc/csf.allow and delete rule
-d, --deny ip       Deny an IP and add to /etc/csf.deny
-dr, --denyrm ip    Unblock an IP and remove from /etc/csf.deny
-df, --denyf        Remove and unblock all entries in /etc/csf.deny
-g, --grep ip       Search the iptables rules for an IP match (incl. CIDR)
-t, --temp          Displays the current list of temp IP entries and their TTL
-tr, --temprm ip    Remove an IPs from the temp IP ban and allow list
-td, --tempdeny ip ttl [-p port] [-d direction]
                    Add an IP to the temp IP ban list. ttl is how long to
                    blocks for (default:seconds, can use one suffix of h/m/d).
                    Optional port. Optional direction of block can be one of:
                    in, out or inout (default:in)
-ta, --tempallow ip ttl [-p port] [-d direction]
                    Add an IP to the temp IP allow list (default:inout)
-tf, --tempf        Flush all IPs from the temp IP entries
-cp, --cping        PING all members in an lfd Cluster
-cd, --cdeny ip     Deny an IP in a Cluster and add to /etc/csf.deny
-ca, --callow ip    Allow an IP in a Cluster and add to /etc/csf.allow
-cr, --crm ip       Unblock an IP in a Cluster and remove from /etc/csf.deny
-cc, --cconfig [name] [value]
                    Change configuration option [name] to [value] in a Cluster
-cf, --cfile [file] Send [file] in a Cluster to /etc/csf/
-crs, --crestart    Cluster restart csf and lfd
-w, --watch ip      Log SYN packets for an IP across iptables chains
-m, --mail [addr]   Display Server Check in HTML or email to [addr] if present
-lr, --logrun       Initiate Log Scanner report via lfd
-c, --check         Check for updates to csf but do not upgrade
-u, --update        Check for updates to csf and upgrade if available
-uf                 Force an update of csf
-x, --disable       Disable csf and lfd
-e, --enable        Enable csf and lfd if previously disabled
-v, --version       Show csf version

Uninstallation

On cPanel servers:

cd /etc/csf
sh uninstall.sh

On DirectAdmin servers:

cd /etc/csf
sh uninstall.directadmin.sh

On generic linux servers:

cd /etc/csf
sh uninstall.generic.sh

 

Tags:

LinuxTweaks

Linuxtweaks Blog helping Server Admin to Manage their servers, Desktop users for making more friendly with linux. Tutorials , guides and tips for linux server maintenance. Here you can learn how to tweak linux servers with code and how to manage it properly.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *