Virtual Architects Support Wiki

User Tools

Site Tools

You are here: start » networking » firewall » csf
Trace:
networking:firewall:csf

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
networking:firewall:csf [2022/06/13 11:57]
gcooper 		networking:firewall:csf [2023/03/10 10:48] (current)
gcooper
Line 26: Line 26:
  
 ===== Prerequisites ===== ===== Prerequisites =====
 +
 +These commands also install **Webmin**, which enables a web GUI for CSF and host management.
  
 ==== Ubuntu ==== ==== Ubuntu ====
  
-=== Without Virtualmin === +=== Webmin Already Installed ===
- +
-<file> +
-echo -e "\n# Webmin\ndeb http://download.webmin.com/download/repository sarge contrib\ndeb http://webmin.mirror.somersettechsolutions.co.uk/repository sarge contrib" >> /etc/apt/sources.list +
-wget -q http://www.webmin.com/jcameron-key.asc -O- | sudo apt-key add - +
-add-apt-repository universe && apt update +
-apt install webmin ssmtp unzip ipset libwww-perl liblist-compare-perl \ +
-liblwp-protocol-https-perl libio-socket-ssl-perl libcrypt-ssleay-perl \ +
-libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl libgd-graph-perl +
-</file> +
- +
-=== Virtualmin Already Installed ===+
  
 <file> <file>
Line 48: Line 39:
 </file> </file>
  
-==== CentOS 7 ====+=== No Webmin Installed ===
  
 <file> <file>
-echo -e "[Webmin]\nname=Webmin Distribution Neutral\nbaseurl=http://download.webmin.com/download/yum\nenabled=1" > /etc/yum.repos.d/webmin.repo +echo -e "\n# Webmin\ndeb http://download.webmin.com/download/repository sarge contrib\ndeb http://webmin.mirror.somersettechsolutions.co.uk/repository sarge contrib>> /etc/apt/sources.list 
-rpm --import http://www.webmin.com/jcameron-key.asc +wget -http://www.webmin.com/jcameron-key.asc -O- | sudo apt-key add - 
-yum install webmin ipset net-tools perl-IO-Socket-SSL.noarch perl-Net-SSLeay perl-Net-LibIDN perl-LWP-Protocol-https perl-IO-Socket-INET6 perl-Socket6+add-apt-repository universe && apt update 
 + 
 +apt install webmin unzip ipset libwww-perl liblist-compare-perl 
 +liblwp-protocol-https-perl libio-socket-ssl-perl libcrypt-ssleay-perl \ 
 +libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl libgd-graph-perl
 </file> </file>
  
Line 60: Line 55:
 ==== Prep Default Firewall ==== ==== Prep Default Firewall ====
  
-You may want to open a few holes in the default firewall just in case it ever gets turned back on.+You may optionally want to open a few holes in the default firewall just in case it ever gets turned back on.
  
 === Ubuntu === === Ubuntu ===
Line 67: Line 62:
 systemctl status ufw.service systemctl status ufw.service
 ufw status verbose ufw status verbose
-ufw allow 10000/tcp  #Webmin +ufw allow from <your_management_ip_cidrproto tcp to any port 10000 #Webmin
-</file> +
- +
-=== CentOS === +
- +
-<file> +
-systemctl status firewalld.service +
-firewall-cmd --permanent --add-port=10000/tcp+
 </file> </file>
  
Line 83: Line 71:
 http://www.ask-gabe.com/server-admin/how-to-install-csf-config-server-firewall-with-webmin-support/ http://www.ask-gabe.com/server-admin/how-to-install-csf-config-server-firewall-with-webmin-support/
  
-:!: Upon installation, CSF automatically opens ports for network services that are currently running.+:!: To ease installation, CSF **automatically opens ports for network services that are currently running**.
  
-:!: Upon installation, CSF starts in Testing Mode.  You must take it out of Testing Mode after revising the configuration.+:!: Upon installation, CSF starts in **Testing Mode**.  You must take it out of Testing Mode after revising the configuration.
  
 :!: Upon installation, check the **OS Specific Settings** and verify that your OS was detected properly and that the **Log file locations** are correct.  :!: Upon installation, check the **OS Specific Settings** and verify that your OS was detected properly and that the **Log file locations** are correct. 
Line 212: Line 200:
 |Testing            |0                                               | |Testing            |0                                               |
 |IPV6               |1                                               | |IPV6               |1                                               |
-|TCP_IN             |20,21,22,25,53,80,110,143,443,465,587,993,995,2222,10000,20000 +|TCP_IN             |20,21,22,25,53,80,110,143,443,465,587,993,995   
-|TCP_OUT            |20,21,22,25,53,80,110,113,443,2222              |+|TCP_OUT            |20,21,22,25,53,80,110,113,443                   |
 |UDP_IN             |20,21,53                                        | |UDP_IN             |20,21,53                                        |
 |UDP_OUT            |20,21,53,113,123,33434:33523                    | |UDP_OUT            |20,21,53,113,123,33434:33523                    |
-|TCP6_IN            |20,21,22,25,53,80,110,143,443,465,587,993,995,2222,10000,20000 +|TCP6_IN            |20,21,22,25,53,80,110,143,443,465,587,993,995   
-|TCP6_OUT           |20,21,22,25,53,80,110,113,443,2222              |+|TCP6_OUT           |20,21,22,25,53,80,110,113,443                   |
 |UDP6_IN            |20,21,53                                        | |UDP6_IN            |20,21,53                                        |
 |UDP6_OUT           |20,21,53,113,123,33434:33523                    | |UDP6_OUT           |20,21,53,113,123,33434:33523                    |
Line 226: Line 214:
 |LF_IPSET           |1                                               | |LF_IPSET           |1                                               |
 |SYNFLOOD           |1                                               | |SYNFLOOD           |1                                               |
-|CONNLIMIT          |22;10,80;30,110;5,143;5,443;30,465;5,587;5,993;5,995;5,2222;10,10000;30 +|CONNLIMIT          |22;10,80;30,110;5,143;5,443;30,465;5,587;5,993;5,995;5 | 
-|PORTFLOOD          |22;tcp;15;300,80;tcp;20;5,110;tcp;20;5,143;tcp;20;5,443;tcp;20;5,465;tcp;20;5,587;tcp;20;5,993;tcp;20;5,995;tcp;20;5,2222;tcp;15;300,10000;tcp;30;5 |+|PORTFLOOD          |22;tcp;15;300,80;tcp;20;5,110;tcp;20;5,143;tcp;20;5,443;tcp;20;5,465;tcp;20;5,587;tcp;20;5,993;tcp;20;5,995;tcp;20;5 |
 |DROP_OUT_LOGGING   |1                                               | |DROP_OUT_LOGGING   |1                                               |
 |CONNLIMIT_LOGGING  |1                                               | |CONNLIMIT_LOGGING  |1                                               |
Line 291: Line 279:
 <file> <file>
 tcp|out|d=587|d=1.2.3.4 tcp|out|d=587|d=1.2.3.4
 +</file>
 +
 +To allow Webmin access:
 +
 +<file>
 +# Webmin Access
 +tcp|in|d=10000|s=1.2.3.4   # Allow from your management IP or CIDR
 </file> </file>
  
Line 524: Line 519:
  
 ====== LFD - Login Failure Daemon ====== ====== LFD - Login Failure Daemon ======
 +
 +**Custom RegEx**: https://forum.configserver.com/viewtopic.php?t=7517
  
 LFD does more than just monitor log files for login failures. LFD does more than just monitor log files for login failures.
Line 547: Line 544:
 **Virtualmin SMTP**: https://www.virtualmin.com/comment/737419#comment-737419 **Virtualmin SMTP**: https://www.virtualmin.com/comment/737419#comment-737419
  
-:!: The Postfix MTA is not directly supported by LFD.  You must use custom settings.+:!: The Postfix MTA is not directly supported by LFD.  You must use custom settings.  FIXME Is this still true?
  
 ==== CentOS ==== ==== CentOS ====
networking/firewall/csf.1655143028.txt.gz · Last modified: 2022/06/13 11:57 by gcooper

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki