• Home
  • Services
    • DBA Support
    • DBA Consultancy Services
    • PostgreSQL Support
    • Website Maintenance
  • Courses

    About Courses

    • List Of Courses
    • Become an Instructor
    Greenplum Database

    Greenplum Database

    $2,000.00 $1,500.00
    Read More
  • Company
    • FAQs
    • About Us
    • Contact
  • Events
  • Portfolio
  • Blogs
    • Blog – RayaFeeL
    • Blog – PostgreSQL Support
    • Blog – PostgreSQL Migration
    • Blog – All DB’s
    • Blog – Linux
    • Blog – Medical Coding
      • Cart

        0

    Have any question?
    (+91)8838953252
    ITsupport@rayafeel.com
    RegisterLogin
    RayaFeeL
    • Home
    • Services
      • DBA Support
      • DBA Consultancy Services
      • PostgreSQL Support
      • Website Maintenance
    • Courses

      About Courses

      • List Of Courses
      • Become an Instructor
      Greenplum Database

      Greenplum Database

      $2,000.00 $1,500.00
      Read More
    • Company
      • FAQs
      • About Us
      • Contact
    • Events
    • Portfolio
    • Blogs
      • Blog – RayaFeeL
      • Blog – PostgreSQL Support
      • Blog – PostgreSQL Migration
      • Blog – All DB’s
      • Blog – Linux
      • Blog – Medical Coding
        • Cart

          0

      Blog

      • Home
      • Blog
      • Blog
      • Configuring Server Security and Firewall ( CSF )

      Configuring Server Security and Firewall ( CSF )

      • Posted by 2ndnijam
      • Categories Blog
      • Date January 12, 2019
      • Comments 0 comment

      Step 1 – Installation of CFS dependencies

      CSF script requires perl modules , it is a csf dependencies module

      [root@nijam ~]# yum install perl-libwww-perl
      Loaded plugins: auto-update-debuginfo, fastestmirror, protectbase, refresh-
      : packagekit, security
      Setting up Install Process
      Loading mirror speeds from cached hostfile
      * base: centos.excellmedia.net
      * epel: epel.mirror.net.in
      * epel-debuginfo: epel.mirror.net.in
      ...
      ...
      ...
      Installed:
      perl-libwww-perl.noarch 0:5.833-2.el6
      
      Complete!

      Step 2 – Install CSF

      Please go to the “/usr/src/” directory and download CSF with wget command.

      [root@nijam ~]#  cd /usr/src/
      [root@nijam src]# wget http://www.configserver.com/free/csf.tgz
      --2016-03-17 09:59:46-- http://www.configserver.com/free/csf.tgz
      Resolving www.configserver.com... 109.70.137.78, 2a01:c0:2:22::3
      Connecting to www.configserver.com|109.70.137.78|:80... connected.
      HTTP request sent, awaiting response... 301 Moved Permanently
      ...
      ...
      ...
      
      100%[======================================>] 688,544 364K/s in 1.8s
      
      2016-03-17 09:59:49 (364 KB/s) - “csf.tgz” saved [688544/688544]

      To remove existing Firewall :The combination APF (Advanced Policy Firewall) +BFD(Brute Force Detection) must be removed in order to avoid the conflicts. Run the following command to remove the existing Firewall.

      [root@nijam src]# sh /usr/src/csf/remove_apf_bfd.sh
      sh: /tmp/csf/remove_apf_bfd.sh: No such file or directory

      Note:I have not installed APF & BFD in before that’s why it say’s no such file or directory

      Extract the tar.gz file and go to the csf directory, then install it:

      [root@nijam ~]# cd /usr/src
      [root@nijam src]# tar -xzf csf.tgz
      [root@nijam src]# cd csf
      [root@nijam src]# sh install.sh
      Selecting installer...
      
      Running csf generic installer
      
      Installing generic csf and lfd
      
      Check we're running as root
      ...
      ...
      ...
      mode of `/etc/init.d/lfd' retained as 0755 (rwxr-xr-x)
      mode of `/etc/init.d/csf' retained as 0755 (rwxr-xr-x)
      `/etc/csf/csfwebmin.tgz' -> `/usr/local/csf/csfwebmin.tgz'
      
      Installation Completed

      Now you should check that CSG really works on this server. Go to the “/usr/local/csf/bin/” directory, and run“csftest.pl”.

      # cd /usr/local/csf/bin/
      # perl csftest.pl

      If you see the test results as shown below, then CSF is running without problems on your server:

      RESULT: csf should function on this server
      The commands above will install and starts CSF in testing mode. To disable Testing mode configure your CSF for TCP_IN, TCP_OUT, UDP_IN and UDP_OUT options. Make the following changes /etc/csf/csf.conf in the file.

      # Allow incoming TCP ports
      TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"
      
      # Allow outgoing TCP ports
      TCP_OUT = "20,21,22,25,53,80,110,113,443"
      
      # Allow incoming UDP ports
      UDP_IN = "20,21,53"
      
      # Allow outgoing UDP ports
      # To allow outgoing traceroute add 33434:33523 to this list
      UDP_OUT = "20,21,53,113,123"

      Step 3 – Configure CSF on CentOS 7

      Before stepping into the CSF configuration process, the first thing you must know is that “CentOS 7” has a default firewall application called “firewalld”. You have to stop firewalld and remove it from the startup.
      Stop the firewalld:

      systemctl stop firewalld

      Disable/Remove firewalld from the startup:

      systemctl disable firewalld

      Then go to the CSF Configuration directory “/etc/csf/” and edit the file “csf.conf” with the vim editor:

      vim /etc/csf/csf.conf

      Change line 11 “TESTING “ to “0” for applying the firewall configuration.

      TESTING = "0"

      By default CSF allows incoming and outgoing traffic for the SSH standard port 22, if you use a different SSH port then please add your port to the configuration in line 139 “TCP_IN”.
      Now start CSF and LFD with systemctl command:

      systemctl start csf
      systemctl start lfd

      And then enable the csf and lfd services to be started at boot time:

      systemctl enable csf
      systemctl enable lfd

      Step 4 – CSF Configuration Files:

      CSF Configuration Usage and Options

      • csf.conf : The main configuration file for controlling CSF.
      • csf.deny : The list of denied IPs and CIDR addresses on the firewall.
      • csf.allow : The list of allowed IPs and CIDR addresses on the firewall.
      • csf.*ignore : The list of various ignore files of users, IPs.
      • csf.ignore : The list of ignored IP?s and CIDR addresses on the firewall.

      Commands and Options of CSF

      • Option -r is used to reload all rules.
      • Option -d is used to deny an IP address
      • Option -a is used to allow an IP address

      # csf -d IPADDRESS
      # csf -a IPADDRESS
      # csf -r
       
      Back to the csf configuration directory, and edit the csf.conf configuration file:

      # vi /etc/csf/csf.conf

      1. Don’t Block IP addresses that are in the csf.allow files.
      By default lfd also will block an IP under csf.allow files, so if you want that an IP in csf.allow files never get blocked by lfd, then please go to the line 272 and change “IGNORE_ALLOW” to “1”. This is useful when you have a static IP at home or in office and want to ensure that your IP never gets blocked by the firewall on your internet server.

      IGNORE_ALLOW = "1"

      2. Allow Incoming and Outgoing ICMP.
      Go to the line 152 for incoming ping/ICMP:

      ICMP_IN = "1"

      And line 159 for outgoing ping ping/ICMP:

      ICMP_OUT = "1"

      3. Block Certain Countries
      CSF provide an option to allow and deny access by country using the CIDR (Country Code). Go to line 836 and add the country codes that shall be allowed and denied:

      CC_DENY = "CN,UK,US"
      CC_ALLOW = "ID,MY,DE"

      4. Send the Su and SSH Login log by Email.
      You can set an email address that is used by LFD to send an email about “SSH Login” events and users that run the “su”command, go to the line 1069 and change the value to “1”.

      LF_SSH_EMAIL_ALERT = "1"
      
      ...
      
      LF_SU_EMAIL_ALERT = "1"

      And then define the email address you want to use in line 588.

      LF_ALERT_TO = "admin@tutorialdba.com"

      If you want more tweaks, read the options in the “/etc/csf/csf.conf” configuration file.

      Step 5 – CSF Commands

      1. Start the firewall (enable the firewall rules):

      csf -s

      2. Flush/Stop the firewall rules.

      csf -f

      3. Reload the firewall rules.

      csf -r

      4. Allow an IP and add it to csf.allow.

      # csf -a 192.168.1.109
      Adding 192.168.1.109 to csf.allow and iptables ACCEPT...
      ACCEPT  all opt -- in !lo out *  192.168.1.109  -> 0.0.0.0/0 
      ACCEPT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.1.109

      5. Remove and delete an IP from csf.allow.

      # csf -ar 192.168.1.109
      
      Removing rule...
      ACCEPT  all opt -- in !lo out *  192.168.1.109  -> 0.0.0.0/0 
      ACCEPT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.1.109

      6. Deny an IP and add to csf.deny:

       # csf -d 192.168.1.109
      
      Adding 192.168.1.109 to csf.deny and iptables DROP...
      DROP  all opt -- in !lo out *  192.168.1.109  -> 0.0.0.0/0 
      LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.1.109

      7. Remove and delete an IP from csf.deny.

      # csf -dr 192.168.1.109
      
      Removing rule...
      DROP  all opt -- in !lo out *  192.168.1.109  -> 0.0.0.0/0 
      LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.1.109

      8. Remove and Unblock all entries from csf.deny.

      # csf -df
      DROP  all opt -- in !lo out *  192.168.1.110  -> 0.0.0.0/0 
      LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.1.110 
      DROP  all opt -- in !lo out *  192.168.1.111  -> 0.0.0.0/0 
      LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.1.111   
      csf: all entries removed from csf.deny

      9. Search for a pattern match on iptables e.g : IP, CIDR, Port Number

      csf -g 192.168.1.110

      10.Now you can see the list default rules of CSF with command:

      csf -l

      Step 6 – For Example Deny The Host

      [root@nijam csf]# csf -d 192.168.7.101
      Adding 192.168.7.101 to csf.deny and iptables DROP...
      DROP all opt -- in !lo out * 192.168.7.101 -> 0.0.0.0/0
      LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.7.101
      
      [root@nijam csf]# csf -r
      Flushing chain `INPUT'
      Flushing chain `FORWARD'
      ...
      ...
      ....
      LOCALOUTPUT all opt in * out !lo ::/0 -> ::/0
      LOCALINPUT all opt in !lo out * ::/0 -> ::/0

       To list the rules:

      [root@ijam csf]# csf -l
      Chain INPUT (policy DROP 0 packets, 0 bytes)
      num pkts bytes target prot opt in out source des
      .....
      .....
      .....
      Chain DENYIN (1 references)
      num pkts bytes target prot opt in out source destination
      
      1 1 165 DROP all -- !lo * 192.168.7.101 0.0.0.0/0
      
      ...
      ...
      ...

       To verify try to connect the IP :

      [root@nijam csf]# ping 192.168.7.101
      PING 192.168.7.101 (192.168.7.101) 56(84) bytes of data.
      ping: sendmsg: Operation not permitted
      ping: sendmsg: Operation not permitted
      ping: sendmsg: Operation not permitted

      Now add to allow list

      [root@nijam csf]# csf -a 192.168.7.101
      Removing 192.168.7.101 from csf.deny...
      Removing rule...
      DROP all opt -- in !lo out * 192.168.7.101 -> 0.0.0.0/0
      LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.7.101
      Adding 192.168.7.101 to csf.allow and iptables ACCEPT...
      ACCEPT all opt -- in !lo out * 192.168.7.101 -> 0.0.0.0/0
      ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.7.101
      [root@ijam csf]# csf -r
      Flushing chain `INPUT'
      Flushing chain `FORWARD'
      ...
      ...
      ...

      To list the rules again 

      [root@nijam csf]# csf -l
      Chain INPUT (policy DROP 0 packets, 0 bytes)
      num pkts bytes target prot opt in out source destination
      1 0 0 ACCEPT tcp -- !lo * 8.8.8.8 0.0.0.0/0 tcp dpt:53
      
      Chain ALLOWOUT (1 references)
      num pkts bytes target prot opt in out source destination
      1 0 0 ACCEPT all -- * !lo 0.0.0.0/0 192.168.7.101
      
      .....

      To verify output

      [root@nijam csf]# ping 192.168.7.101
      PING 192.168.7.101 (192.168.7.101) 56(84) bytes of data.
      64 bytes from 192.168.7.101: icmp_seq=1 ttl=128 time=1.40 ms
      64 bytes from 192.168.7.101: icmp_seq=2 ttl=128 time=0.377 ms
      64 bytes from 192.168.7.101: icmp_seq=3 ttl=128 time=0.321 ms
      64 bytes from 192.168.7.101: icmp_seq=4 ttl=128 time=0.241 ms
      64 bytes from 192.168.7.101: icmp_seq=5 ttl=128 time=0.341 ms
      ............

       Step 7 -To remove CSF Firewall :
      Run the following script located under /etc/csf/uninstall.sh directory to remove CSF Firewall.

      [root@nijam csf]# /etc/csf/uninstall.sh
      Uninstalling csf and lfd...
      
      Flushing chain `INPUT'
      Flushing chain `FORWARD'
      Flushing chain `OUTPUT'
      ...
      ...
      ...
      removed directory: `/var/lib/csf/ui'
      removed directory: `/var/lib/csf'
      
      ...Done
      • Share:
      2ndnijam

      Previous post

      Install and Secure Latest Memcached on CentOS
      January 12, 2019

      Next post

      Making Security of Linux CentOS
      January 12, 2019

      Leave A Reply Cancel reply

      You must be logged in to post a comment.

      Login with:

      Login with Google Login with Twitter Login with LinkedIn Login with Microsoft


      Search

      ADVERTISEMENT

      Latest Posts

      PostgreSQL Patching version 9, 10,11
      10Oct2019
      Tools for PostgreSQL
      16Sep2019
      Postgres user creation and restrict DDL & database access
      13Sep2019
      PostgreSQL SSL Setup
      07Sep2019
      How to DELETE current XLOG / WAL LOG in postgresql database ?
      19Aug2019

      Latest Courses

      PostgreSQL Database

      PostgreSQL Database

      $600.00 $500.00
      Greenplum Database

      Greenplum Database

      $2,000.00 $1,500.00

      Preview Course

      Free

      Recent Forum Topics

      • thought behind whiteboard activity
      • Are you going to take your first ste
      • How to start working on an application?
      • please let me know pre requirements to increase work_mem
      • how to copy some data in one table to another table in postgres

      2ndquadrant.in

      (+91) 8838953252

      ITsupport@rayafeel.com

      Company

      • About Us
      • Contact
      • Our Team
      • Blog

      COURSES

      • List Of Course
      • Become An Instructor
      • Events
      • Postgres Support Blog

      Support

      • DBA Support
      • Consultancy Services
      • Postgres Migration Blogs
      • Forum

      Recommend

      • Groups
      • Login
      • FAQs
      • SignUp

      IT Services by rayafeel.com. Powered by Rayafeel Technologies Pvt Ltd.

      • Privacy
      • Terms

      Become An Instructor?

      Join thousand of instructors and earn money hassle free!

      Get Started Now

      Login with:

      Login with Google Login with Twitter Login with LinkedIn Login with Microsoft

      Login with your site account

      Lost your password?

      Not a member yet? Register now

      Register a new account

      Are you a member? Login now