Virtual Architects Support Wiki

User Tools

Site Tools

You are here: start » networking » firewall » csf
Trace: mailcleaner_csf
networking:firewall:csf

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Last revision Both sides next revision
networking:firewall:csf [2020/12/31 15:40]
gcooper 		networking:firewall:csf [2023/03/10 10:46]
gcooper
Line 15: Line 15:
 http://www.bsntech.com/installing-configserver-firewall-on-ubuntu-1204/ http://www.bsntech.com/installing-configserver-firewall-on-ubuntu-1204/
  
-  * Advanced Firewall+  * **Advanced Firewall**
     * Replaces ''ufw'' and ''firewalld''     * Replaces ''ufw'' and ''firewalld''
-  * Log File Monitoring+  * **Log File Monitoring**
     * Replaces ''fail2ban''     * Replaces ''fail2ban''
-  * Webmin Module+  * **Webmin Module**
     * Easy web browser management     * Easy web browser management
-  * IP Block Lists+  * **IP Block Lists**
     * Preconfigured     * Preconfigured
     * Just enable the lists you want to use     * Just enable the lists you want to use
  
 ===== Prerequisites ===== ===== Prerequisites =====
 +
 +These commands also install **Webmin**, which enables a web GUI for CSF and host management.
  
 ==== Ubuntu ==== ==== Ubuntu ====
  
-=== Without Virtualmin ===+=== Webmin Already Installed ===
  
 <file> <file>
-echo -e "\n# Webmin\ndeb http://download.webmin.com/download/repository sarge contrib\ndeb http://webmin.mirror.somersettechsolutions.co.uk/repository sarge contrib" >> /etc/apt/sources.list +apt-get install unzip ipset libwww-perl liblist-compare-perl liblwp-protocol-https-perl \
-wget -q http://www.webmin.com/jcameron-key.asc -O- | sudo apt-key add - +
-add-apt-repository universe +
-apt-get install webmin ssmtp unzip ipset libwww-perl liblist-compare-perl \ +
-liblwp-protocol-https-perl libio-socket-ssl-perl libcrypt-ssleay-perl \ +
-libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl libgd-graph-perl +
-</file> +
- +
-=== Virtualmin Already Installed === +
- +
-<file> +
-sudo apt-get install unzip ipset libwww-perl liblist-compare-perl liblwp-protocol-https-perl \+
 libio-socket-ssl-perl libcrypt-ssleay-perl libnet-libidn-perl libio-socket-inet6-perl \ libio-socket-ssl-perl libcrypt-ssleay-perl libnet-libidn-perl libio-socket-inet6-perl \
 libsocket6-perl libgd-graph-perl libsocket6-perl libgd-graph-perl
 </file> </file>
  
-==== CentOS 7 ====+=== No Webmin Installed ===
  
 <file> <file>
-echo -e "[Webmin]\nname=Webmin Distribution Neutral\nbaseurl=http://download.webmin.com/download/yum\nenabled=1" > /etc/yum.repos.d/webmin.repo +echo -e "\n# Webmin\ndeb http://download.webmin.com/download/repository sarge contrib\ndeb http://webmin.mirror.somersettechsolutions.co.uk/repository sarge contrib>> /etc/apt/sources.list 
-rpm --import http://www.webmin.com/jcameron-key.asc +wget -http://www.webmin.com/jcameron-key.asc -O- | sudo apt-key add - 
-yum install webmin ipset net-tools perl-IO-Socket-SSL.noarch perl-Net-SSLeay perl-Net-LibIDN perl-LWP-Protocol-https perl-IO-Socket-INET6 perl-Socket6+add-apt-repository universe && apt update 
 + 
 +apt install webmin unzip ipset libwww-perl liblist-compare-perl 
 +liblwp-protocol-https-perl libio-socket-ssl-perl libcrypt-ssleay-perl \ 
 +libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl libgd-graph-perl
 </file> </file>
  
Line 60: Line 55:
 ==== Prep Default Firewall ==== ==== Prep Default Firewall ====
  
-You may want to open a few holes in the default firewall just in case it ever gets turned back on.+You may optionally want to open a few holes in the default firewall just in case it ever gets turned back on.
  
 === Ubuntu === === Ubuntu ===
Line 67: Line 62:
 systemctl status ufw.service systemctl status ufw.service
 ufw status verbose ufw status verbose
-ufw allow 10000/tcp  #Webmin +ufw allow from <your_management_ip_cidrproto tcp to any port 10000 #Webmin
-ufw allow 22222/tcp  #Custom SSH Port +
-</file> +
- +
-=== CentOS === +
- +
-<file> +
-systemctl status firewalld.service +
-firewall-cmd --permanent --add-port=10000/tcp+
 </file> </file>
  
Line 84: Line 71:
 http://www.ask-gabe.com/server-admin/how-to-install-csf-config-server-firewall-with-webmin-support/ http://www.ask-gabe.com/server-admin/how-to-install-csf-config-server-firewall-with-webmin-support/
  
-:!: Upon installation, CSF automatically opens ports for network services that are currently running.+:!: To ease installation, CSF **automatically opens ports for network services that are currently running**.
  
-:!: Upon installation, CSF starts in Testing Mode.  You must take it out of Testing Mode after revising the configuration.+:!: Upon installation, CSF starts in **Testing Mode**.  You must take it out of Testing Mode after revising the configuration.
  
 :!: Upon installation, check the **OS Specific Settings** and verify that your OS was detected properly and that the **Log file locations** are correct.  :!: Upon installation, check the **OS Specific Settings** and verify that your OS was detected properly and that the **Log file locations** are correct. 
Line 106: Line 93:
 <file> <file>
 ps -aux ps -aux
-groupadd mysyslog   # if the group doesn't already exist +groupadd mysyslog         # if the group doesn't already exist 
-usermod -G mysyslog clamav #www-data, proftpd, postfix, mysql, dovecot, root, syslog, opendkim, postgrey, zimbra+usermod -G mysyslog root 
 +syslog daemon messagebus systemd-network systemd-resolve 
 +# clamav www-data, proftpd, postfix, mysql, dovecot, opendkim, postgrey, zimbra, lool 
 +grep mysyslog /etc/group
 </file> </file>
  
Line 210: Line 200:
 |Testing            |0                                               | |Testing            |0                                               |
 |IPV6               |1                                               | |IPV6               |1                                               |
-|TCP_IN             |20,21,25,53,80,110,143,443,465,587,993,995,2222,10000,20000 +|TCP_IN             |20,21,22,25,53,80,110,143,443,465,587,993,995   
-|TCP_OUT            |20,21,22,25,53,80,110,113,443,2222              |+|TCP_OUT            |20,21,22,25,53,80,110,113,443                   |
 |UDP_IN             |20,21,53                                        | |UDP_IN             |20,21,53                                        |
 |UDP_OUT            |20,21,53,113,123,33434:33523                    | |UDP_OUT            |20,21,53,113,123,33434:33523                    |
-|TCP6_IN            |20,21,25,53,80,110,143,443,465,587,993,995,2222,10000,20000 +|TCP6_IN            |20,21,22,25,53,80,110,143,443,465,587,993,995   
-|TCP6_OUT           |20,21,22,25,53,80,110,113,443,2222              |+|TCP6_OUT           |20,21,22,25,53,80,110,113,443                   |
 |UDP6_IN            |20,21,53                                        | |UDP6_IN            |20,21,53                                        |
 |UDP6_OUT           |20,21,53,113,123,33434:33523                    | |UDP6_OUT           |20,21,53,113,123,33434:33523                    |
Line 224: Line 214:
 |LF_IPSET           |1                                               | |LF_IPSET           |1                                               |
 |SYNFLOOD           |1                                               | |SYNFLOOD           |1                                               |
-|CONNLIMIT          |22;10,80;30,110;5,143;5,443;30,465;5,587;5,993;5,995;5,2222;10,10000;30 +|CONNLIMIT          |22;10,80;30,110;5,143;5,443;30,465;5,587;5,993;5,995;5 | 
-|PORTFLOOD          |22;tcp;15;300,80;tcp;20;5,110;tcp;20;5,143;tcp;20;5,443;tcp;20;5,465;tcp;20;5,587;tcp;20;5,993;tcp;20;5,995;tcp;20;5,2222;tcp;15;300,10000;tcp;30;5 |+|PORTFLOOD          |22;tcp;15;300,80;tcp;20;5,110;tcp;20;5,143;tcp;20;5,443;tcp;20;5,465;tcp;20;5,587;tcp;20;5,993;tcp;20;5,995;tcp;20;5 |
 |DROP_OUT_LOGGING   |1                                               | |DROP_OUT_LOGGING   |1                                               |
 |CONNLIMIT_LOGGING  |1                                               | |CONNLIMIT_LOGGING  |1                                               |
Line 292: Line 282:
  
 To allow a range of ports to and from a remote host: To allow a range of ports to and from a remote host:
 +
 +# Webmin Access
 +tcp|in|d=10000|s=1.2.3.4   # Allow from your management IP or CIDR
  
 <file> <file>
Line 311: Line 304:
  
 http://www.host-stage.net/client-area/knowledgebase/53/How-To-Backup-or-Restore-or-Export-your-CSF-Firewall-Configuration.html http://www.host-stage.net/client-area/knowledgebase/53/How-To-Backup-or-Restore-or-Export-your-CSF-Firewall-Configuration.html
- 
  
 <file> <file>
 cd /etc/csf/ cd /etc/csf/
-tar cvfz csfbackup.tgz csf.conf csf.allow csf.deny csf.*ignore csf.blocklists+tar cvfz csfbackup.tgz csf.conf csf.allow csf.dyndns csf.deny csf.*ignore csf.blocklists
 </file> </file>
 +
 +:!: Copy the ''csfbackup.tgz'' file to the new server and move it into ''/etc/csf/'' before extracting.
 +
 +<file>
 +cd /etc/csf/ && tar -xzvf csfbackup.tgz
 +</file>
 +
 +:!: You may need to manually deal with ''/usr/local/csf/bin/regex.custom.pm'' if you have customized LFD.
  
 ===== Logging ===== ===== Logging =====
Line 333: Line 333:
  
 ==== Log to Separate File ==== ==== Log to Separate File ====
 +
 +:!: If you do this, be sure to change ''IPTABLES_LOG'' in ''csf.conf''.
  
 You may find a busy server ''syslog'' gets polluted by ''iptables'' firewall lines.  This will separate the ''iptables'' stuff into a separate log file. You may find a busy server ''syslog'' gets polluted by ''iptables'' firewall lines.  This will separate the ''iptables'' stuff into a separate log file.
Line 416: Line 418:
 **Research**: http://forum.configserver.com/viewtopic.php?t=7719 **Research**: http://forum.configserver.com/viewtopic.php?t=7719
  
-Edit ''csf.blocklists'' (self documnented) and un-comment at least the CIDR lists:+Edit ''csf.blocklists'' (self documnented) and **un-comment at least the CIDR lists**:
  
   * SPAMDROP   * SPAMDROP
Line 422: Line 424:
   * DSHIELD   * DSHIELD
  
-:!: As long as you install ''ipset'' and have enabled ''LF_IPSET'', you can probably enable as many blocklists as you want.+<note tip>As long as you install ''ipset'' and have enabled ''LF_IPSET'', and you have the CPU and memory resources, you can probably enable as many blocklists as you want.</note>
  
 While the CIDR lists above will cover about 92%, you may also consider these other lists, if you have resources to spare (CPU, memory): While the CIDR lists above will cover about 92%, you may also consider these other lists, if you have resources to spare (CPU, memory):
Line 447: Line 449:
  
 ===== Troubleshooting ===== ===== Troubleshooting =====
 +
 +==== Hanging ====
 +
 +Try flushing all the temporary and/or permanent blocks:
 +
 +<file>
 +csf -tf && csf -df && csf -ra
 +</file>
  
 ==== Watch Mode ==== ==== Watch Mode ====
Line 505: Line 515:
  
 ====== LFD - Login Failure Daemon ====== ====== LFD - Login Failure Daemon ======
 +
 +**Custom RegEx**: https://forum.configserver.com/viewtopic.php?t=7517
  
 LFD does more than just monitor log files for login failures. LFD does more than just monitor log files for login failures.
Line 528: Line 540:
 **Virtualmin SMTP**: https://www.virtualmin.com/comment/737419#comment-737419 **Virtualmin SMTP**: https://www.virtualmin.com/comment/737419#comment-737419
  
-:!: The Postfix MTA is not directly supported by LFD.  You must use custom settings.+:!: The Postfix MTA is not directly supported by LFD.  You must use custom settings.  FIXME Is this still true?
  
 ==== CentOS ==== ==== CentOS ====
networking/firewall/csf.txt · Last modified: 2023/03/10 10:48 by gcooper

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki