Virtual Architects Support Wiki

User Tools

Site Tools

You are here: start » networking » firewall » csf
Trace:
networking:firewall:csf

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
networking:firewall:csf [2021/02/10 08:55]
gcooper 		networking:firewall:csf [2023/03/10 10:48] (current)
gcooper
Line 26: Line 26:
  
 ===== Prerequisites ===== ===== Prerequisites =====
 +
 +These commands also install **Webmin**, which enables a web GUI for CSF and host management.
  
 ==== Ubuntu ==== ==== Ubuntu ====
  
-=== Without Virtualmin ===+=== Webmin Already Installed ===
  
 <file> <file>
-echo -e "\n# Webmin\ndeb http://download.webmin.com/download/repository sarge contrib\ndeb http://webmin.mirror.somersettechsolutions.co.uk/repository sarge contrib" >> /etc/apt/sources.list +apt-get install unzip ipset libwww-perl liblist-compare-perl liblwp-protocol-https-perl \
-wget -q http://www.webmin.com/jcameron-key.asc -O- | sudo apt-key add - +
-add-apt-repository universe && apt update +
-apt install webmin ssmtp unzip ipset libwww-perl liblist-compare-perl \ +
-liblwp-protocol-https-perl libio-socket-ssl-perl libcrypt-ssleay-perl \ +
-libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl libgd-graph-perl +
-</file> +
- +
-=== Virtualmin Already Installed === +
- +
-<file> +
-sudo apt-get install unzip ipset libwww-perl liblist-compare-perl liblwp-protocol-https-perl \+
 libio-socket-ssl-perl libcrypt-ssleay-perl libnet-libidn-perl libio-socket-inet6-perl \ libio-socket-ssl-perl libcrypt-ssleay-perl libnet-libidn-perl libio-socket-inet6-perl \
 libsocket6-perl libgd-graph-perl libsocket6-perl libgd-graph-perl
 </file> </file>
  
-==== CentOS 7 ====+=== No Webmin Installed ===
  
 <file> <file>
-echo -e "[Webmin]\nname=Webmin Distribution Neutral\nbaseurl=http://download.webmin.com/download/yum\nenabled=1" > /etc/yum.repos.d/webmin.repo +echo -e "\n# Webmin\ndeb http://download.webmin.com/download/repository sarge contrib\ndeb http://webmin.mirror.somersettechsolutions.co.uk/repository sarge contrib>> /etc/apt/sources.list 
-rpm --import http://www.webmin.com/jcameron-key.asc +wget -http://www.webmin.com/jcameron-key.asc -O- | sudo apt-key add - 
-yum install webmin ipset net-tools perl-IO-Socket-SSL.noarch perl-Net-SSLeay perl-Net-LibIDN perl-LWP-Protocol-https perl-IO-Socket-INET6 perl-Socket6+add-apt-repository universe && apt update 
 + 
 +apt install webmin unzip ipset libwww-perl liblist-compare-perl 
 +liblwp-protocol-https-perl libio-socket-ssl-perl libcrypt-ssleay-perl \ 
 +libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl libgd-graph-perl
 </file> </file>
  
Line 60: Line 55:
 ==== Prep Default Firewall ==== ==== Prep Default Firewall ====
  
-You may want to open a few holes in the default firewall just in case it ever gets turned back on.+You may optionally want to open a few holes in the default firewall just in case it ever gets turned back on.
  
 === Ubuntu === === Ubuntu ===
Line 67: Line 62:
 systemctl status ufw.service systemctl status ufw.service
 ufw status verbose ufw status verbose
-ufw allow 10000/tcp  #Webmin +ufw allow from <your_management_ip_cidrproto tcp to any port 10000 #Webmin
-</file> +
- +
-=== CentOS === +
- +
-<file> +
-systemctl status firewalld.service +
-firewall-cmd --permanent --add-port=10000/tcp+
 </file> </file>
  
Line 83: Line 71:
 http://www.ask-gabe.com/server-admin/how-to-install-csf-config-server-firewall-with-webmin-support/ http://www.ask-gabe.com/server-admin/how-to-install-csf-config-server-firewall-with-webmin-support/
  
-:!: Upon installation, CSF automatically opens ports for network services that are currently running.+:!: To ease installation, CSF **automatically opens ports for network services that are currently running**.
  
-:!: Upon installation, CSF starts in Testing Mode.  You must take it out of Testing Mode after revising the configuration.+:!: Upon installation, CSF starts in **Testing Mode**.  You must take it out of Testing Mode after revising the configuration.
  
 :!: Upon installation, check the **OS Specific Settings** and verify that your OS was detected properly and that the **Log file locations** are correct.  :!: Upon installation, check the **OS Specific Settings** and verify that your OS was detected properly and that the **Log file locations** are correct. 
Line 105: Line 93:
 <file> <file>
 ps -aux ps -aux
-groupadd mysyslog   # if the group doesn't already exist +groupadd mysyslog         # if the group doesn't already exist 
-usermod -G mysyslog clamav #www-data, proftpd, postfix, mysql, dovecot, root, syslog, opendkim, postgrey, zimbra+usermod -G mysyslog root 
 +syslog daemon messagebus systemd-network systemd-resolve 
 +# clamav www-data, proftpd, postfix, mysql, dovecot, opendkim, postgrey, zimbra, lool 
 +grep mysyslog /etc/group
 </file> </file>
  
Line 209: Line 200:
 |Testing            |0                                               | |Testing            |0                                               |
 |IPV6               |1                                               | |IPV6               |1                                               |
-|TCP_IN             |20,21,22,25,53,80,110,143,443,465,587,993,995,2222,10000,20000 +|TCP_IN             |20,21,22,25,53,80,110,143,443,465,587,993,995   
-|TCP_OUT            |20,21,22,25,53,80,110,113,443,2222              |+|TCP_OUT            |20,21,22,25,53,80,110,113,443                   |
 |UDP_IN             |20,21,53                                        | |UDP_IN             |20,21,53                                        |
 |UDP_OUT            |20,21,53,113,123,33434:33523                    | |UDP_OUT            |20,21,53,113,123,33434:33523                    |
-|TCP6_IN            |20,21,22,25,53,80,110,143,443,465,587,993,995,2222,10000,20000 +|TCP6_IN            |20,21,22,25,53,80,110,143,443,465,587,993,995   
-|TCP6_OUT           |20,21,22,25,53,80,110,113,443,2222              |+|TCP6_OUT           |20,21,22,25,53,80,110,113,443                   |
 |UDP6_IN            |20,21,53                                        | |UDP6_IN            |20,21,53                                        |
 |UDP6_OUT           |20,21,53,113,123,33434:33523                    | |UDP6_OUT           |20,21,53,113,123,33434:33523                    |
Line 223: Line 214:
 |LF_IPSET           |1                                               | |LF_IPSET           |1                                               |
 |SYNFLOOD           |1                                               | |SYNFLOOD           |1                                               |
-|CONNLIMIT          |22;10,80;30,110;5,143;5,443;30,465;5,587;5,993;5,995;5,2222;10,10000;30 +|CONNLIMIT          |22;10,80;30,110;5,143;5,443;30,465;5,587;5,993;5,995;5 | 
-|PORTFLOOD          |22;tcp;15;300,80;tcp;20;5,110;tcp;20;5,143;tcp;20;5,443;tcp;20;5,465;tcp;20;5,587;tcp;20;5,993;tcp;20;5,995;tcp;20;5,2222;tcp;15;300,10000;tcp;30;5 |+|PORTFLOOD          |22;tcp;15;300,80;tcp;20;5,110;tcp;20;5,143;tcp;20;5,443;tcp;20;5,465;tcp;20;5,587;tcp;20;5,993;tcp;20;5,995;tcp;20;5 |
 |DROP_OUT_LOGGING   |1                                               | |DROP_OUT_LOGGING   |1                                               |
 |CONNLIMIT_LOGGING  |1                                               | |CONNLIMIT_LOGGING  |1                                               |
Line 288: Line 279:
 <file> <file>
 tcp|out|d=587|d=1.2.3.4 tcp|out|d=587|d=1.2.3.4
 +</file>
 +
 +To allow Webmin access:
 +
 +<file>
 +# Webmin Access
 +tcp|in|d=10000|s=1.2.3.4   # Allow from your management IP or CIDR
 </file> </file>
  
Line 313: Line 311:
 <file> <file>
 cd /etc/csf/ cd /etc/csf/
-tar cvfz csfbackup.tgz csf.conf csf.allow csf.deny csf.*ignore csf.blocklists+tar cvfz csfbackup.tgz csf.conf csf.allow csf.dyndns csf.deny csf.*ignore csf.blocklists 
 +</file> 
 + 
 +:!: Copy the ''csfbackup.tgz'' file to the new server and move it into ''/etc/csf/'' before extracting. 
 + 
 +<file> 
 +cd /etc/csf/ && tar -xzvf csfbackup.tgz
 </file> </file>
  
Line 333: Line 337:
  
 ==== Log to Separate File ==== ==== Log to Separate File ====
 +
 +:!: If you do this, be sure to change ''IPTABLES_LOG'' in ''csf.conf''.
  
 You may find a busy server ''syslog'' gets polluted by ''iptables'' firewall lines.  This will separate the ''iptables'' stuff into a separate log file. You may find a busy server ''syslog'' gets polluted by ''iptables'' firewall lines.  This will separate the ''iptables'' stuff into a separate log file.
Line 416: Line 422:
 **Research**: http://forum.configserver.com/viewtopic.php?t=7719 **Research**: http://forum.configserver.com/viewtopic.php?t=7719
  
-Edit ''csf.blocklists'' (self documnented) and un-comment at least the CIDR lists:+Edit ''csf.blocklists'' (self documnented) and **un-comment at least the CIDR lists**:
  
   * SPAMDROP   * SPAMDROP
Line 422: Line 428:
   * DSHIELD   * DSHIELD
  
-:!: As long as you install ''ipset'' and have enabled ''LF_IPSET'', you can probably enable as many blocklists as you want.+<note tip>As long as you install ''ipset'' and have enabled ''LF_IPSET'', and you have the CPU and memory resources, you can probably enable as many blocklists as you want.</note>
  
 While the CIDR lists above will cover about 92%, you may also consider these other lists, if you have resources to spare (CPU, memory): While the CIDR lists above will cover about 92%, you may also consider these other lists, if you have resources to spare (CPU, memory):
Line 513: Line 519:
  
 ====== LFD - Login Failure Daemon ====== ====== LFD - Login Failure Daemon ======
 +
 +**Custom RegEx**: https://forum.configserver.com/viewtopic.php?t=7517
  
 LFD does more than just monitor log files for login failures. LFD does more than just monitor log files for login failures.
Line 536: Line 544:
 **Virtualmin SMTP**: https://www.virtualmin.com/comment/737419#comment-737419 **Virtualmin SMTP**: https://www.virtualmin.com/comment/737419#comment-737419
  
-:!: The Postfix MTA is not directly supported by LFD.  You must use custom settings.+:!: The Postfix MTA is not directly supported by LFD.  You must use custom settings.  FIXME Is this still true?
  
 ==== CentOS ==== ==== CentOS ====
networking/firewall/csf.1612972510.txt.gz · Last modified: 2021/02/10 08:55 by gcooper

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki