Setup ConfigServer Security and Firewall ( CSF ) – Linux Security
Step 1 – Installation of CFS dependencies
CSF script requires perl modules , it is a csf dependencies module
[root@nijam ~]# yum install perl-libwww-perl Loaded plugins: auto-update-debuginfo, fastestmirror, protectbase, refresh- : packagekit, security Setting up Install Process Loading mirror speeds from cached hostfile * base: centos.excellmedia.net * epel: epel.mirror.net.in * epel-debuginfo: epel.mirror.net.in ... ... ... Installed: perl-libwww-perl.noarch 0:5.833-2.el6 Complete!
Step 2 – Install CSF
Please go to the “/usr/src/” directory and download CSF with wget command.
[root@nijam ~]# cd /usr/src/ [root@nijam src]# wget http://www.configserver.com/free/csf.tgz --2016-03-17 09:59:46-- http://www.configserver.com/free/csf.tgz Resolving www.configserver.com... 109.70.137.78, 2a01:c0:2:22::3 Connecting to www.configserver.com|109.70.137.78|:80... connected. HTTP request sent, awaiting response... 301 Moved Permanently ... ... ... 100%[======================================>] 688,544 364K/s in 1.8s 2016-03-17 09:59:49 (364 KB/s) - “csf.tgz” saved [688544/688544]
To remove existing Firewall :The combination APF (Advanced Policy Firewall) +BFD(Brute Force Detection) must be removed in order to avoid the conflicts. Run the following command to remove the existing Firewall.
[root@nijam src]# sh /usr/src/csf/remove_apf_bfd.sh sh: /tmp/csf/remove_apf_bfd.sh: No such file or directory
Note:I have not installed APF & BFD in before that’s why it say’s no such file or directory
Extract the tar.gz file and go to the csf directory, then install it:
[root@nijam ~]# cd /usr/src [root@nijam src]# tar -xzf csf.tgz [root@nijam src]# cd csf [root@nijam src]# sh install.sh Selecting installer... Running csf generic installer Installing generic csf and lfd Check we're running as root ... ... ... mode of `/etc/init.d/lfd' retained as 0755 (rwxr-xr-x) mode of `/etc/init.d/csf' retained as 0755 (rwxr-xr-x) `/etc/csf/csfwebmin.tgz' -> `/usr/local/csf/csfwebmin.tgz' Installation Completed
Now you should check that CSG really works on this server. Go to the “/usr/local/csf/bin/” directory, and run“csftest.pl”.
# cd /usr/local/csf/bin/ # perl csftest.pl
If you see the test results as shown below, then CSF is running without problems on your server:
RESULT: csf should function on this server
The commands above will install and starts CSF in testing mode. To disable Testing mode configure your CSF for TCP_IN, TCP_OUT, UDP_IN and UDP_OUT options. Make the following changes /etc/csf/csf.conf in the file.
# Allow incoming TCP ports TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995" # Allow outgoing TCP ports TCP_OUT = "20,21,22,25,53,80,110,113,443" # Allow incoming UDP ports UDP_IN = "20,21,53" # Allow outgoing UDP ports # To allow outgoing traceroute add 33434:33523 to this list UDP_OUT = "20,21,53,113,123"
Step 3 – Configure CSF on CentOS 7
Before stepping into the CSF configuration process, the first thing you must know is that “CentOS 7” has a default firewall application called “firewalld”. You have to stop firewalld and remove it from the startup.
Stop the firewalld:
systemctl stop firewalld
Disable/Remove firewalld from the startup:
systemctl disable firewalld
Then go to the CSF Configuration directory “/etc/csf/” and edit the file “csf.conf” with the vim editor:
vim /etc/csf/csf.conf
Change line 11 “TESTING “ to “0” for applying the firewall configuration.
TESTING = "0"
By default CSF allows incoming and outgoing traffic for the SSH standard port 22, if you use a different SSH port then please add your port to the configuration in line 139 “TCP_IN”.
Now start CSF and LFD with systemctl command:
systemctl start csf systemctl start lfd
And then enable the csf and lfd services to be started at boot time:
systemctl enable csf systemctl enable lfd
Step 4 – CSF Configuration Files:
CSF Configuration Usage and Options
- csf.conf : The main configuration file for controlling CSF.
- csf.deny : The list of denied IPs and CIDR addresses on the firewall.
- csf.allow : The list of allowed IPs and CIDR addresses on the firewall.
- csf.*ignore : The list of various ignore files of users, IPs.
- csf.ignore : The list of ignored IP?s and CIDR addresses on the firewall.
Commands and Options of CSF
- Option -r is used to reload all rules.
- Option -d is used to deny an IP address
- Option -a is used to allow an IP address
# csf -d IPADDRESS
# csf -a IPADDRESS
# csf -r
Back to the csf configuration directory, and edit the csf.conf configuration file:
# vi /etc/csf/csf.conf
1. Don’t Block IP addresses that are in the csf.allow files.
By default lfd also will block an IP under csf.allow files, so if you want that an IP in csf.allow files never get blocked by lfd, then please go to the line 272 and change “IGNORE_ALLOW” to “1”. This is useful when you have a static IP at home or in office and want to ensure that your IP never gets blocked by the firewall on your internet server.
IGNORE_ALLOW = "1"
2. Allow Incoming and Outgoing ICMP.
Go to the line 152 for incoming ping/ICMP:
ICMP_IN = "1"
And line 159 for outgoing ping ping/ICMP:
ICMP_OUT = "1"
3. Block Certain Countries
CSF provide an option to allow and deny access by country using the CIDR (Country Code). Go to line 836 and add the country codes that shall be allowed and denied:
CC_DENY = "CN,UK,US" CC_ALLOW = "ID,MY,DE"
4. Send the Su and SSH Login log by Email.
You can set an email address that is used by LFD to send an email about “SSH Login” events and users that run the “su”command, go to the line 1069 and change the value to “1”.
LF_SSH_EMAIL_ALERT = "1" ... LF_SU_EMAIL_ALERT = "1"
And then define the email address you want to use in line 588.
LF_ALERT_TO = "admin@tutorialdba.com"
If you want more tweaks, read the options in the “/etc/csf/csf.conf” configuration file.
Step 5 – CSF Commands
1. Start the firewall (enable the firewall rules):
csf -s
2. Flush/Stop the firewall rules.
csf -f
3. Reload the firewall rules.
csf -r
4. Allow an IP and add it to csf.allow.
# csf -a 192.168.1.109 Adding 192.168.1.109 to csf.allow and iptables ACCEPT... ACCEPT all opt -- in !lo out * 192.168.1.109 -> 0.0.0.0/0 ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.1.109
5. Remove and delete an IP from csf.allow.
# csf -ar 192.168.1.109 Removing rule... ACCEPT all opt -- in !lo out * 192.168.1.109 -> 0.0.0.0/0 ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.1.109
6. Deny an IP and add to csf.deny:
# csf -d 192.168.1.109 Adding 192.168.1.109 to csf.deny and iptables DROP... DROP all opt -- in !lo out * 192.168.1.109 -> 0.0.0.0/0 LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.1.109
7. Remove and delete an IP from csf.deny.
# csf -dr 192.168.1.109 Removing rule... DROP all opt -- in !lo out * 192.168.1.109 -> 0.0.0.0/0 LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.1.109
8. Remove and Unblock all entries from csf.deny.
# csf -df DROP all opt -- in !lo out * 192.168.1.110 -> 0.0.0.0/0 LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.1.110 DROP all opt -- in !lo out * 192.168.1.111 -> 0.0.0.0/0 LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.1.111 csf: all entries removed from csf.deny
9. Search for a pattern match on iptables e.g : IP, CIDR, Port Number
csf -g 192.168.1.110
10.Now you can see the list default rules of CSF with command:
csf -l
Step 6 – For Example Deny The Host
[root@nijam csf]# csf -d 192.168.7.101 Adding 192.168.7.101 to csf.deny and iptables DROP... DROP all opt -- in !lo out * 192.168.7.101 -> 0.0.0.0/0 LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.7.101 [root@nijam csf]# csf -r Flushing chain `INPUT' Flushing chain `FORWARD' ... ... .... LOCALOUTPUT all opt in * out !lo ::/0 -> ::/0 LOCALINPUT all opt in !lo out * ::/0 -> ::/0
To list the rules:
[root@ijam csf]# csf -l Chain INPUT (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source des ..... ..... ..... Chain DENYIN (1 references) num pkts bytes target prot opt in out source destination 1 1 165 DROP all -- !lo * 192.168.7.101 0.0.0.0/0 ... ... ...
To verify try to connect the IP :
[root@nijam csf]# ping 192.168.7.101 PING 192.168.7.101 (192.168.7.101) 56(84) bytes of data. ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted
Now add to allow list
[root@nijam csf]# csf -a 192.168.7.101 Removing 192.168.7.101 from csf.deny... Removing rule... DROP all opt -- in !lo out * 192.168.7.101 -> 0.0.0.0/0 LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.7.101 Adding 192.168.7.101 to csf.allow and iptables ACCEPT... ACCEPT all opt -- in !lo out * 192.168.7.101 -> 0.0.0.0/0 ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.7.101
[root@ijam csf]# csf -r Flushing chain `INPUT' Flushing chain `FORWARD' ... ... ...
To list the rules again
[root@nijam csf]# csf -l Chain INPUT (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT tcp -- !lo * 8.8.8.8 0.0.0.0/0 tcp dpt:53 Chain ALLOWOUT (1 references) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT all -- * !lo 0.0.0.0/0 192.168.7.101 .....
To verify output
[root@nijam csf]# ping 192.168.7.101 PING 192.168.7.101 (192.168.7.101) 56(84) bytes of data. 64 bytes from 192.168.7.101: icmp_seq=1 ttl=128 time=1.40 ms 64 bytes from 192.168.7.101: icmp_seq=2 ttl=128 time=0.377 ms 64 bytes from 192.168.7.101: icmp_seq=3 ttl=128 time=0.321 ms 64 bytes from 192.168.7.101: icmp_seq=4 ttl=128 time=0.241 ms 64 bytes from 192.168.7.101: icmp_seq=5 ttl=128 time=0.341 ms ............
Step 7 -To remove CSF Firewall :
Run the following script located under /etc/csf/uninstall.sh directory to remove CSF Firewall.
[root@nijam csf]# /etc/csf/uninstall.sh Uninstalling csf and lfd... Flushing chain `INPUT' Flushing chain `FORWARD' Flushing chain `OUTPUT' ... ... ... removed directory: `/var/lib/csf/ui' removed directory: `/var/lib/csf' ...Done