This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
networking:firewall:csf [2022/04/29 10:29] gcooper |
networking:firewall:csf [2023/03/10 10:48] (current) gcooper |
||
---|---|---|---|
Line 26: | Line 26: | ||
===== Prerequisites ===== | ===== Prerequisites ===== | ||
+ | |||
+ | These commands also install **Webmin**, which enables a web GUI for CSF and host management. | ||
==== Ubuntu ==== | ==== Ubuntu ==== | ||
- | === Without Virtualmin | + | === Webmin Already Installed |
< | < | ||
- | echo -e "\n# Webmin\ndeb http:// | + | apt-get install unzip ipset libwww-perl liblist-compare-perl liblwp-protocol-https-perl \ |
- | wget -q http:// | + | |
- | add-apt-repository universe && apt update | + | |
- | apt install webmin ssmtp unzip ipset libwww-perl liblist-compare-perl \ | + | |
- | liblwp-protocol-https-perl libio-socket-ssl-perl libcrypt-ssleay-perl \ | + | |
- | libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl libgd-graph-perl | + | |
- | </ | + | |
- | + | ||
- | === Virtualmin Already Installed === | + | |
- | + | ||
- | < | + | |
- | sudo apt-get install unzip ipset libwww-perl liblist-compare-perl liblwp-protocol-https-perl \ | + | |
libio-socket-ssl-perl libcrypt-ssleay-perl libnet-libidn-perl libio-socket-inet6-perl \ | libio-socket-ssl-perl libcrypt-ssleay-perl libnet-libidn-perl libio-socket-inet6-perl \ | ||
libsocket6-perl libgd-graph-perl | libsocket6-perl libgd-graph-perl | ||
</ | </ | ||
- | ==== CentOS 7 ==== | + | === No Webmin Installed |
< | < | ||
- | echo -e "[Webmin]\nname=Webmin | + | echo -e "\n# Webmin\ndeb http:// |
- | rpm --import | + | wget -q http:// |
- | yum install webmin ipset net-tools perl-IO-Socket-SSL.noarch | + | add-apt-repository universe && apt update |
+ | |||
+ | apt install webmin | ||
+ | liblwp-protocol-https-perl libio-socket-ssl-perl libcrypt-ssleay-perl \ | ||
+ | libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl libgd-graph-perl | ||
</ | </ | ||
Line 60: | Line 55: | ||
==== Prep Default Firewall ==== | ==== Prep Default Firewall ==== | ||
- | You may want to open a few holes in the default firewall just in case it ever gets turned back on. | + | You may optionally |
=== Ubuntu === | === Ubuntu === | ||
Line 67: | Line 62: | ||
systemctl status ufw.service | systemctl status ufw.service | ||
ufw status verbose | ufw status verbose | ||
- | ufw allow 10000/ | + | ufw allow from <your_management_ip_cidr> proto tcp to any port 10000 #Webmin |
- | </file> | + | |
- | + | ||
- | === CentOS === | + | |
- | + | ||
- | < | + | |
- | systemctl status firewalld.service | + | |
- | firewall-cmd --permanent --add-port=10000/tcp | + | |
</ | </ | ||
Line 83: | Line 71: | ||
http:// | http:// | ||
- | :!: Upon installation, | + | :!: To ease installation, |
- | :!: Upon installation, | + | :!: Upon installation, |
:!: Upon installation, | :!: Upon installation, | ||
Line 212: | Line 200: | ||
|Testing | |Testing | ||
|IPV6 | |IPV6 | ||
- | |TCP_IN | + | |TCP_IN |
- | |TCP_OUT | + | |TCP_OUT |
|UDP_IN | |UDP_IN | ||
|UDP_OUT | |UDP_OUT | ||
- | |TCP6_IN | + | |TCP6_IN |
- | |TCP6_OUT | + | |TCP6_OUT |
|UDP6_IN | |UDP6_IN | ||
|UDP6_OUT | |UDP6_OUT | ||
Line 226: | Line 214: | ||
|LF_IPSET | |LF_IPSET | ||
|SYNFLOOD | |SYNFLOOD | ||
- | |CONNLIMIT | + | |CONNLIMIT |
- | |PORTFLOOD | + | |PORTFLOOD |
|DROP_OUT_LOGGING | |DROP_OUT_LOGGING | ||
|CONNLIMIT_LOGGING | |CONNLIMIT_LOGGING | ||
Line 291: | Line 279: | ||
< | < | ||
tcp|out|d=587|d=1.2.3.4 | tcp|out|d=587|d=1.2.3.4 | ||
+ | </ | ||
+ | |||
+ | To allow Webmin access: | ||
+ | |||
+ | < | ||
+ | # Webmin Access | ||
+ | tcp|in|d=10000|s=1.2.3.4 | ||
</ | </ | ||
Line 317: | Line 312: | ||
cd /etc/csf/ | cd /etc/csf/ | ||
tar cvfz csfbackup.tgz csf.conf csf.allow csf.dyndns csf.deny csf.*ignore csf.blocklists | tar cvfz csfbackup.tgz csf.conf csf.allow csf.dyndns csf.deny csf.*ignore csf.blocklists | ||
+ | </ | ||
+ | |||
+ | :!: Copy the '' | ||
+ | |||
+ | < | ||
+ | cd /etc/csf/ && tar -xzvf csfbackup.tgz | ||
</ | </ | ||
Line 518: | Line 519: | ||
====== LFD - Login Failure Daemon ====== | ====== LFD - Login Failure Daemon ====== | ||
+ | |||
+ | **Custom RegEx**: https:// | ||
LFD does more than just monitor log files for login failures. | LFD does more than just monitor log files for login failures. | ||
Line 541: | Line 544: | ||
**Virtualmin SMTP**: https:// | **Virtualmin SMTP**: https:// | ||
- | :!: The Postfix MTA is not directly supported by LFD. You must use custom settings. | + | :!: The Postfix MTA is not directly supported by LFD. You must use custom settings. |
==== CentOS ==== | ==== CentOS ==== |