Virtual Architects Support Wiki

User Tools

Site Tools

You are here: start » networking » firewall » csf
Trace:
networking:firewall:csf

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
networking:firewall:csf [2022/06/13 12:01]
gcooper 		networking:firewall:csf [2023/03/10 10:48] (current)
gcooper
Line 27: Line 27:
 ===== Prerequisites ===== ===== Prerequisites =====
  
-These commands also install **Webmin**, which enables a web GUI for CSF management.+These commands also install **Webmin**, which enables a web GUI for CSF and host management.
  
 ==== Ubuntu ==== ==== Ubuntu ====
Line 45: Line 45:
 wget -q http://www.webmin.com/jcameron-key.asc -O- | sudo apt-key add - wget -q http://www.webmin.com/jcameron-key.asc -O- | sudo apt-key add -
 add-apt-repository universe && apt update add-apt-repository universe && apt update
-apt install webmin ssmtp unzip ipset libwww-perl liblist-compare-perl \+ 
 +apt install webmin unzip ipset libwww-perl liblist-compare-perl \
 liblwp-protocol-https-perl libio-socket-ssl-perl libcrypt-ssleay-perl \ liblwp-protocol-https-perl libio-socket-ssl-perl libcrypt-ssleay-perl \
 libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl libgd-graph-perl libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl libgd-graph-perl
-</file> 
- 
-==== CentOS 7 ==== 
- 
-<file> 
-echo -e "[Webmin]\nname=Webmin Distribution Neutral\nbaseurl=http://download.webmin.com/download/yum\nenabled=1" > /etc/yum.repos.d/webmin.repo 
-rpm --import http://www.webmin.com/jcameron-key.asc 
-yum install webmin ipset net-tools perl-IO-Socket-SSL.noarch perl-Net-SSLeay perl-Net-LibIDN perl-LWP-Protocol-https perl-IO-Socket-INET6 perl-Socket6 
 </file> </file>
  
Line 62: Line 55:
 ==== Prep Default Firewall ==== ==== Prep Default Firewall ====
  
-You may want to open a few holes in the default firewall just in case it ever gets turned back on.+You may optionally want to open a few holes in the default firewall just in case it ever gets turned back on.
  
 === Ubuntu === === Ubuntu ===
Line 69: Line 62:
 systemctl status ufw.service systemctl status ufw.service
 ufw status verbose ufw status verbose
-ufw allow 10000/tcp  #Webmin +ufw allow from <your_management_ip_cidrproto tcp to any port 10000 #Webmin
-</file> +
- +
-=== CentOS === +
- +
-<file> +
-systemctl status firewalld.service +
-firewall-cmd --permanent --add-port=10000/tcp+
 </file> </file>
  
Line 85: Line 71:
 http://www.ask-gabe.com/server-admin/how-to-install-csf-config-server-firewall-with-webmin-support/ http://www.ask-gabe.com/server-admin/how-to-install-csf-config-server-firewall-with-webmin-support/
  
-:!: Upon installation, CSF automatically opens ports for network services that are currently running.+:!: To ease installation, CSF **automatically opens ports for network services that are currently running**.
  
-:!: Upon installation, CSF starts in Testing Mode.  You must take it out of Testing Mode after revising the configuration.+:!: Upon installation, CSF starts in **Testing Mode**.  You must take it out of Testing Mode after revising the configuration.
  
 :!: Upon installation, check the **OS Specific Settings** and verify that your OS was detected properly and that the **Log file locations** are correct.  :!: Upon installation, check the **OS Specific Settings** and verify that your OS was detected properly and that the **Log file locations** are correct. 
Line 214: Line 200:
 |Testing            |0                                               | |Testing            |0                                               |
 |IPV6               |1                                               | |IPV6               |1                                               |
-|TCP_IN             |20,21,22,25,53,80,110,143,443,465,587,993,995,2222,10000,20000 +|TCP_IN             |20,21,22,25,53,80,110,143,443,465,587,993,995   
-|TCP_OUT            |20,21,22,25,53,80,110,113,443,2222              |+|TCP_OUT            |20,21,22,25,53,80,110,113,443                   |
 |UDP_IN             |20,21,53                                        | |UDP_IN             |20,21,53                                        |
 |UDP_OUT            |20,21,53,113,123,33434:33523                    | |UDP_OUT            |20,21,53,113,123,33434:33523                    |
-|TCP6_IN            |20,21,22,25,53,80,110,143,443,465,587,993,995,2222,10000,20000 +|TCP6_IN            |20,21,22,25,53,80,110,143,443,465,587,993,995   
-|TCP6_OUT           |20,21,22,25,53,80,110,113,443,2222              |+|TCP6_OUT           |20,21,22,25,53,80,110,113,443                   |
 |UDP6_IN            |20,21,53                                        | |UDP6_IN            |20,21,53                                        |
 |UDP6_OUT           |20,21,53,113,123,33434:33523                    | |UDP6_OUT           |20,21,53,113,123,33434:33523                    |
Line 228: Line 214:
 |LF_IPSET           |1                                               | |LF_IPSET           |1                                               |
 |SYNFLOOD           |1                                               | |SYNFLOOD           |1                                               |
-|CONNLIMIT          |22;10,80;30,110;5,143;5,443;30,465;5,587;5,993;5,995;5,2222;10,10000;30 +|CONNLIMIT          |22;10,80;30,110;5,143;5,443;30,465;5,587;5,993;5,995;5 | 
-|PORTFLOOD          |22;tcp;15;300,80;tcp;20;5,110;tcp;20;5,143;tcp;20;5,443;tcp;20;5,465;tcp;20;5,587;tcp;20;5,993;tcp;20;5,995;tcp;20;5,2222;tcp;15;300,10000;tcp;30;5 |+|PORTFLOOD          |22;tcp;15;300,80;tcp;20;5,110;tcp;20;5,143;tcp;20;5,443;tcp;20;5,465;tcp;20;5,587;tcp;20;5,993;tcp;20;5,995;tcp;20;5 |
 |DROP_OUT_LOGGING   |1                                               | |DROP_OUT_LOGGING   |1                                               |
 |CONNLIMIT_LOGGING  |1                                               | |CONNLIMIT_LOGGING  |1                                               |
Line 293: Line 279:
 <file> <file>
 tcp|out|d=587|d=1.2.3.4 tcp|out|d=587|d=1.2.3.4
 +</file>
 +
 +To allow Webmin access:
 +
 +<file>
 +# Webmin Access
 +tcp|in|d=10000|s=1.2.3.4   # Allow from your management IP or CIDR
 </file> </file>
  
Line 526: Line 519:
  
 ====== LFD - Login Failure Daemon ====== ====== LFD - Login Failure Daemon ======
 +
 +**Custom RegEx**: https://forum.configserver.com/viewtopic.php?t=7517
  
 LFD does more than just monitor log files for login failures. LFD does more than just monitor log files for login failures.
Line 549: Line 544:
 **Virtualmin SMTP**: https://www.virtualmin.com/comment/737419#comment-737419 **Virtualmin SMTP**: https://www.virtualmin.com/comment/737419#comment-737419
  
-:!: The Postfix MTA is not directly supported by LFD.  You must use custom settings.+:!: The Postfix MTA is not directly supported by LFD.  You must use custom settings.  FIXME Is this still true?
  
 ==== CentOS ==== ==== CentOS ====
networking/firewall/csf.1655143314.txt.gz · Last modified: 2022/06/13 12:01 by gcooper

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki