This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
networking:firewall:csf [2020/12/31 16:16] gcooper |
networking:firewall:csf [2023/03/10 10:48] (current) gcooper |
||
---|---|---|---|
Line 26: | Line 26: | ||
===== Prerequisites ===== | ===== Prerequisites ===== | ||
+ | |||
+ | These commands also install **Webmin**, which enables a web GUI for CSF and host management. | ||
==== Ubuntu ==== | ==== Ubuntu ==== | ||
- | === Without Virtualmin | + | === Webmin Already Installed |
< | < | ||
- | echo -e "\n# Webmin\ndeb http:// | + | apt-get install unzip ipset libwww-perl liblist-compare-perl liblwp-protocol-https-perl \ |
- | wget -q http:// | + | |
- | add-apt-repository universe | + | |
- | apt-get install webmin ssmtp unzip ipset libwww-perl liblist-compare-perl \ | + | |
- | liblwp-protocol-https-perl libio-socket-ssl-perl libcrypt-ssleay-perl \ | + | |
- | libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl libgd-graph-perl | + | |
- | </ | + | |
- | + | ||
- | === Virtualmin Already Installed === | + | |
- | + | ||
- | < | + | |
- | sudo apt-get install unzip ipset libwww-perl liblist-compare-perl liblwp-protocol-https-perl \ | + | |
libio-socket-ssl-perl libcrypt-ssleay-perl libnet-libidn-perl libio-socket-inet6-perl \ | libio-socket-ssl-perl libcrypt-ssleay-perl libnet-libidn-perl libio-socket-inet6-perl \ | ||
libsocket6-perl libgd-graph-perl | libsocket6-perl libgd-graph-perl | ||
</ | </ | ||
- | ==== CentOS 7 ==== | + | === No Webmin Installed |
< | < | ||
- | echo -e "[Webmin]\nname=Webmin | + | echo -e "\n# Webmin\ndeb http:// |
- | rpm --import | + | wget -q http:// |
- | yum install webmin ipset net-tools perl-IO-Socket-SSL.noarch | + | add-apt-repository universe && apt update |
+ | |||
+ | apt install webmin | ||
+ | liblwp-protocol-https-perl libio-socket-ssl-perl libcrypt-ssleay-perl \ | ||
+ | libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl libgd-graph-perl | ||
</ | </ | ||
Line 60: | Line 55: | ||
==== Prep Default Firewall ==== | ==== Prep Default Firewall ==== | ||
- | You may want to open a few holes in the default firewall just in case it ever gets turned back on. | + | You may optionally |
=== Ubuntu === | === Ubuntu === | ||
Line 67: | Line 62: | ||
systemctl status ufw.service | systemctl status ufw.service | ||
ufw status verbose | ufw status verbose | ||
- | ufw allow 10000/ | + | ufw allow from <your_management_ip_cidr> proto tcp to any port 10000 #Webmin |
- | </file> | + | |
- | + | ||
- | === CentOS === | + | |
- | + | ||
- | < | + | |
- | systemctl status firewalld.service | + | |
- | firewall-cmd --permanent --add-port=10000/tcp | + | |
</ | </ | ||
Line 83: | Line 71: | ||
http:// | http:// | ||
- | :!: Upon installation, | + | :!: To ease installation, |
- | :!: Upon installation, | + | :!: Upon installation, |
:!: Upon installation, | :!: Upon installation, | ||
Line 105: | Line 93: | ||
< | < | ||
ps -aux | ps -aux | ||
- | groupadd mysyslog | + | groupadd mysyslog |
- | usermod -G mysyslog | + | usermod -G mysyslog |
+ | # syslog daemon messagebus systemd-network systemd-resolve | ||
+ | # clamav | ||
+ | grep mysyslog /etc/group | ||
</ | </ | ||
Line 209: | Line 200: | ||
|Testing | |Testing | ||
|IPV6 | |IPV6 | ||
- | |TCP_IN | + | |TCP_IN |
- | |TCP_OUT | + | |TCP_OUT |
|UDP_IN | |UDP_IN | ||
|UDP_OUT | |UDP_OUT | ||
- | |TCP6_IN | + | |TCP6_IN |
- | |TCP6_OUT | + | |TCP6_OUT |
|UDP6_IN | |UDP6_IN | ||
|UDP6_OUT | |UDP6_OUT | ||
Line 223: | Line 214: | ||
|LF_IPSET | |LF_IPSET | ||
|SYNFLOOD | |SYNFLOOD | ||
- | |CONNLIMIT | + | |CONNLIMIT |
- | |PORTFLOOD | + | |PORTFLOOD |
|DROP_OUT_LOGGING | |DROP_OUT_LOGGING | ||
|CONNLIMIT_LOGGING | |CONNLIMIT_LOGGING | ||
Line 288: | Line 279: | ||
< | < | ||
tcp|out|d=587|d=1.2.3.4 | tcp|out|d=587|d=1.2.3.4 | ||
+ | </ | ||
+ | |||
+ | To allow Webmin access: | ||
+ | |||
+ | < | ||
+ | # Webmin Access | ||
+ | tcp|in|d=10000|s=1.2.3.4 | ||
</ | </ | ||
Line 310: | Line 308: | ||
http:// | http:// | ||
- | |||
< | < | ||
cd /etc/csf/ | cd /etc/csf/ | ||
- | tar cvfz csfbackup.tgz csf.conf csf.allow csf.deny csf.*ignore csf.blocklists | + | tar cvfz csfbackup.tgz csf.conf csf.allow |
</ | </ | ||
+ | |||
+ | :!: Copy the '' | ||
+ | |||
+ | < | ||
+ | cd /etc/csf/ && tar -xzvf csfbackup.tgz | ||
+ | </ | ||
+ | |||
+ | :!: You may need to manually deal with ''/ | ||
===== Logging ===== | ===== Logging ===== | ||
Line 332: | Line 337: | ||
==== Log to Separate File ==== | ==== Log to Separate File ==== | ||
+ | |||
+ | :!: If you do this, be sure to change '' | ||
You may find a busy server '' | You may find a busy server '' | ||
Line 415: | Line 422: | ||
**Research**: | **Research**: | ||
- | Edit '' | + | Edit '' |
* SPAMDROP | * SPAMDROP | ||
Line 421: | Line 428: | ||
* DSHIELD | * DSHIELD | ||
- | :!: As long as you install '' | + | <note tip>As long as you install '' |
While the CIDR lists above will cover about 92%, you may also consider these other lists, if you have resources to spare (CPU, memory): | While the CIDR lists above will cover about 92%, you may also consider these other lists, if you have resources to spare (CPU, memory): | ||
Line 446: | Line 453: | ||
===== Troubleshooting ===== | ===== Troubleshooting ===== | ||
+ | |||
+ | ==== Hanging ==== | ||
+ | |||
+ | Try flushing all the temporary and/or permanent blocks: | ||
+ | |||
+ | < | ||
+ | csf -tf && csf -df && csf -ra | ||
+ | </ | ||
==== Watch Mode ==== | ==== Watch Mode ==== | ||
Line 504: | Line 519: | ||
====== LFD - Login Failure Daemon ====== | ====== LFD - Login Failure Daemon ====== | ||
+ | |||
+ | **Custom RegEx**: https:// | ||
LFD does more than just monitor log files for login failures. | LFD does more than just monitor log files for login failures. | ||
Line 527: | Line 544: | ||
**Virtualmin SMTP**: https:// | **Virtualmin SMTP**: https:// | ||
- | :!: The Postfix MTA is not directly supported by LFD. You must use custom settings. | + | :!: The Postfix MTA is not directly supported by LFD. You must use custom settings. |
==== CentOS ==== | ==== CentOS ==== |