The ConfigServer Security & Firewall is a popular open source Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application, compatible with most Linux servers.
CSF can be fully configured to block/restrict ports you don't want open. CSF includes the Login Failure Daemon (LFD), which will scan log files and monitor failed login attempts, such as login attempts for FTP and E-Mail accounts, and it will block the IP according to the rules you have setup. CSF also offers Connection Limiting, Real Time Block Lists and Port Scan tracking and much more.
CSF can be easily managed from within its GUI, which is fully compatible with DirectAdmin, CPanel, and WebMin/Virtualmin.
It is important to remove older firewalls or any other firewalls setup to protect the server. This is because the conflict of Firewalls can lead to failures or inaccessibility. You should also not install any other iptables firewall and if it already exists, then it has to be removed at this stage. Most of the systems is likely to have APF+BFD firewalls and has to be removed. So use the following command to detect and remove them if they exist.
------------------------------------------------
sh /usr/local/csf/bin/remove_apf_bfd.sh
------------------------------------------------
1)Install CSF Firewall.
Download the CSF archive to the /tmp folder of your server by using wget, unpack the archive by issuing the TAR command and finally install CSF by starting the ./install.sh setup script.
------------------------------------------------------------------------------------------------
cd /tmp
wget http://www.configserver.com/free/csf.tgz
tar zxvf csf.tgz
cd csf
./install.sh
------------------------------------------------------------------------------------------------
The plugins for DirectAdmin or cPanel are installed automatically.
2)Test IPtables configuration.
This test is recommended to double check that the correct iptables modules are installed. The test can be invoked by issuing the command below, or by going to the "test iptables" section, which can be found at the bottom of the CSF Graphic interface. If not all modules are installed, you need to work on getting them installed.
------------------------------------------------------------------------------------------------
$ /etc/csf/csftest.pl
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK
RESULT: csf should function on this server
------------------------------------------------------------------------------------------------
3)Configuration.
The configuration of your CSF Firewall installation can be maintained by editing the various config files CSF ships with. On Red Hat Enterprise Linux (RHEL) based distributions these can be found in the following location:/etc/csf/
The configuration files include:
csf.conf - the main configuration file, it has helpful comments explaining what each option does.
csf.allow - a list of IP's and CIDR addresses that should always be allowed through the firewall.
csf.deny - a list of IP's and CIDR addresses that should never be allowed through the firewall.
csf.ignore - a list of IP's and CIDR addresses that lfd should ignore and not block if detected.
csf.*ignore - various ignore files that list files, users, IP's that lfd should ignore. See each file for their specific purpose.
If you modify any of the files listed above, you will need to restart csf to have them take effect. If you use the command line options to add or deny IP addresses, then csf automatically does this for you.
However, for the average user it is far quicker to make use of its Graphic Interface (GUI), which can be accessed from within your DirectAdmin, CPanel or Webmin/Virtualmin Control Panel.
4)Enabling CSF Firewall.
The CSF firewall can be fully enabled by setting:
TESTING = 0
This can be done by accessing the GUI, or by editing the main configuration file, found at /etc/csf/csf.conf.
Please ensure your configuration is correct. The wrong settings may lock you out of your server permanently!
5)TCP_IN and TCP_OUT / UDP_IN and UDP_OUT
Below you will find a basic explanation for the recommended opened TCP_IN ports for INCOMING connections to your Linux/cPanel based web server. These ports can be opened from the GUI or the csf.conf file.
20,21 FTP access
22 SSH Access
25, 587 SMTP for EXIM to receive e-mail
53 DNS (Named), The port for your nameservers. Both TCP and UDP ports should be opened here.
80, 443 Apache traffic, http and https
110, 993 POP e-mail access
143, 995 IMAP email access
3306 MySQL. You should not open this port if you don't want to allow remote MySQL access, as most MySQL scripts are accessed locally
2222 DirectAdmin Access
2083 cPanel Access over an encrypted SSL connection
2082 cPanel Access over an unencrypted connection
2087 cPanel WHM Access over an encrypted SSL connection
2086 cPanel WHM Access over an unencrypted connection
10000 Webmin Access
* FTP requires a random high port number if the client is in PORT mode. When using ProFTP you may need to add a port range into your /etc/proftpd.conf file to allow ftp connections, eg: PassivePorts 35000 35999 and then open that port range in your CSF firewall. Ranges can be defined in CSF by using a colon eg: 35000:35999
TCP_IN and TCP_OUT / UDP_IN and UDP_OUT is a comma separated list of:
# Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,2222,35000:35999"
# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,53,80,110,113,443"
# Allow incoming UDP ports
UDP_IN = "20,21,53"
# Allow outgoing UDP ports
UDP_OUT = "20,21,53,113,123"
6)ICMP_IN and ICMP_OUT
Allowing ping is usually a good option for diagnostic purposes.
Set ICMP_IN to 1 to allow incoming ping requests to your server. Set to 0 refuses such requests. If you are hosting any public services, it is recommended to allow ICMP requests, as these can be used to determine whether or not your service is available. ICMP_IN_LIMIT Sets the number of ICMP (ping) requests allowed from one IP address within a specified amount of time. There is usually no need to change the default value (1/s)
Set ICMP_OUT to 1 to allow outgoing ping from your server. Set to 0 refuses such requests. ICMP_OUT_LIMIT Sets the number of outgoing ICMP (ping) requests within a specified amount of time. There is usually no need to change the default value (0)
7)Port flood protection
This setting provides protection against port flood attacks, such as denial of service (DoS) attacks. You may specify the amount of allowed connections on each port within time period of your liking. Enabling this feature is recommended, as it may possibly prevent an attacker forcing your services down. You should pay attention to what limits you set, as too restrictive settings will drop connections from normal clients. Then again, too permissive settings may allow an attacker to succeed in a flood attack.
PORTFLOOD is a comma separated list of:
port;protocol;hit count*;interval seconds
So, a setting of PORTFLOOD = "22;tcp;5;300,80;tcp;20;5" means:
1. If more than 5 connections to tcp port 22 within 300 seconds, then block that IP address from port 22 for at least 300 seconds after the last packet is seen, i.e. there must be a "quiet" period of 300 seconds before the block is lifted.
2. If more than 20 connections to tcp port 80 within 5 seconds, then block that IP address from port 80 for at least 5 seconds after the last packet is seen, i.e. there must be a "quiet" period of 5 seconds before the block is lifted.
You may add more ports by separating them by commas like described as follows:
port1;protocol1;connection_count1;time1,port2;protocol2;connection_count2;time2
8)Port knocking.
Port knocking allows clients to establish connections a server with no ports open. The server allows clients connect to the main ports only after a successful port knock sequence. You may find this useful if you offer services which are available to only limited audience.
The feature requires that you list a random selection of unused ports (at least 3) with a timeout. The ports you choose must not be in use and not appear in TCP_IN (UDP_IN for udp packets). The port to be opened must also not appear in TCP_IN (UDP_IN for udp packets).
PORTKNOCKING is a comma separated list of:
openport;protocol;timeout;kport1;kport2;kport3[...;kportN]
So, a setting of PORTKNOCKING = "22;TCP;20;100;200;300;400" means:
Open Port 22 TCP for 20 seconds to the connecting IP address to new connections once ports 100, 200, 300 and 400 have been accessed (i.e . knocked with a SYN packet) each knock being less than 20 seconds apart.
Access to port 22 remains active after 20 seconds until the connection is dropped, however new connections will not be allowed.
9)Syslog and RESTRICT_SYSLOG.
When enabled, this option logs lfd (Login Failure Daemon) messages to syslog as well as to /var/log/lfd.log.
Unfortunately, it is trivial for end-users and scripts run by end-users to spoof log lines that appear identical to any log line reported in logs maintained by syslog/rsyslog. You can identify these logs by looking in /etc/syslog.conf or etc/rsyslog.conf
This means that anyone on the server can maliciously trigger applications that monitor these logs, such as lfd does for the following options:
------------------------------------------------------------------------------------------------------------
LF_SSHD LF_FTPD LF_IMAPD LF_POP3D LF_BIND LF_SUHOSIN LF_SSH_EMAIL_ALERT LF_SU_EMAIL_ALERT LF_CONSOLE_EMAIL_ALERT LF_DISTATTACK LF_DISTFTP LT_POP3D LT_IMAPD PS_INTERVAL UID_INTERVAL WEBMIN_LOG LF_WEBMIN_EMAIL_ALERT PORTKNOCKING_ALERT ST_ENABLE SYSLOG_CHECK LOGSCANNER CUSTOM*_LOG
------------------------------------------------------------------------------------------------------------
A malicious user could use this issue to trigger confusing emails regarding both successful and failed login attempts, kernel log lines (including iptables log lines) etc. Unfortunately, there is very little that can be done about this as syslog/rsyslog has no security framework. Some attempt was made in newer versions of rsyslog, but this version is not available in the current versions used by RedHat/CentOS v6. It also has to be enabled and can have adverse effects on utilities that expect a certain format for the log lines.
To mitigate spoofing attempts we recommend the following, if you are willing to accept the consequences of spoofed log lines:
1. Go through the options above ensuring that only those that you need are enabled.
2. Ensure that DENY_IP_LIMIT and DENY_TEMP_IP_LIMIT are set reasonably low (for example, 200). This will limit attempts to block large numbers of IP addresses.
3. Ensure that administrator/support IP addresses are listed in /etc/csf/csf.allow and perhaps /etc/csf/csf.ignore. This will prevent malicious blocking from denying you access to the server.
4. To confirm successful logins to SSH, use the "last" utility from the root shell, e.g.: last -da
5. Regularly check the server and user data for exploits, old vulnerable applications and out of date OS applications.
6. Consider carefully any application that you use that centralises actions and syslog/rsyslog logs and the implications of spoofed log lines.
7. Consider the implications of this overall issue on applications and scripts other than csf/lfd that use the affected log files.
8. Ultimately, you could consider restricting access to all configured syslog/rsyslog unix sockets. This can be used via file permissions and ownership of the sockets (e.g. /dev/log) but there are several caveats: file permissions and ownership have to be reapplied whenever syslog/rsyslog is restarted; restricting logging will break/limit some applications ability to log to syslog/rsyslog, for example crond.
9. Do not enable syslog/rsyslog reception via UDP/TCP ports.
10)Connection limit protection CONNLIMIT
This feature can be used to limit the number concurrent of active connections from an IP address to each port. When properly configured, this may prevent abuses on the server, such as DoS attacks.
CONNLIMIT is a comma separated list of:
port;limit
So, a setting of CONNLIMIT = "22;5,80;20" means:
Only allow up to 5 concurrent new connections to port 22 per IP address.
Only allow up to 20 concurrent new connections to port 80 per IP address.
11)Port/IP address redirection.
CSF can be configured to redirect connections to an IP/port to another IP/port. Note: After redirection, the source address of the client will be the server's IP address.
Requirements:
nat tables
ipt_DNAT iptables module
ipt_SNAT iptables module
ipt_REDIRECT iptables module
The following are the allowed redirection formats:
DNAT (redirect from one IP address to a different one):
IPx|*|IPy|*|tcp/udp - To IPx redirects to IPy
IPx|portA|IPy|portB|tcp/udp - To IPx to portA redirects to IPy portB
DNAT examples:
192.168.254.62|*|10.0.0.1|*|tcp
192.168.254.62|666|10.0.0.1|25|tcp
REDIRECT (redirect from port to a different one):
IPx|portA|*|portB|tcp/udp - To IPx to portA redirects to portB
*|portA|*|portB|tcp/udp - To portA redirects to portB
REDIRECT examples:
*|666|*|25|tcp
192.168.254.60|666|*|25|tcp
192.168.254.4|666|*|25|tcp
Where a port is specified it cannot be a range, only a single port.
All redirections to another IP address will always appear on the destination server with the source of this server, not the originating IP address.
This feature is not intended to be used for routing, NAT, VPN, etc tasks.
12)SYNFLOOD, SYNFLOOD_RATE and SYNFLOOD_BURST.
Offers protection against SYN flood attacks. This slows down the initialization of every connection, so you should enable this only if you know that your server is under attack.
SYNFLOOD = "0"
SYNFLOOD_RATE = "100/s"
SYNFLOOD_BURST = "150"
13)Login Failure Daemon (LFD).
To complement the ConfigServer Firewall, a daemon process that runs all the time and periodically (every X seconds) scans the latest log file entries for login attempts against your server that continually fail within a short period of time. Such attempts are often called "Brute-force attacks" and the daemon process responds very quickly to such patterns and blocks offending IP's quickly.
There are an array of extensive checks that lfd can perform to help alert the server administrator of changes to the server, potential problems and possible compromises.
lfd can monitor the most commonly abused protocols, SSHD, POP3, IMAP, FTP and HTTP password protection. Unlike other applications, lfd is a daemon process that monitors logs continuously and so can react within seconds of detecting such attempts. It also monitors across protocols, so if attempts are made on different protocols in a short space of time, all those attempts will be counted against the threshold.
If you want to add some spam protection, CSF can help. Look in the configuration for the following:
LF_SCRIPT_ALERT = 0 change this to 1. This will send an email alert to the system administrator when the limit configured below is reached within an hour.
LF_SCRIPT_LIMIT = 100 change this to 250. This will alert you when any scripts sends out 250 email messages in an hour.
Define email address to which you need to get alerts and define email address to which you want to get.
LF_ALERT_TO = “test1@google.com”
LF_ALERT_FROM = “test2@google.com”
14)Uninstallation.
Removing csf and lfd is even more simple:
cd /etc/csf
sh uninstall.sh
Here are the most common commands you will be using:
csf -d IPADDRESS will deny an IP.
csf -a IPADDRESS will allow an IP.
csf -r will reload all rules.
-dr, –denyrm ip Remove and unblock an IP address in /etc/csf.deny.
-t, –temp Displays the current list of temporary IP bans and their TTL.
-tr, –temprm ip Remove an IP address from the temporary IP ban list.
For a complete overview of all command line options enter csf or csf -h on the command line and you will receive a list with all available options.
You can also visit the CSF home page where you can find further documentation and FAQs.
http://configserver.com/cp/csf.html
http://download.configserver.com/csf/install.txt
