Friday, 18 December 2009

How To Configure CSF Firewall

In this how to I will describe how to install /configure full feature firewall on your server using Config Server Firewall (CSF)  script from http://www.configserver.com. Firewall are the basic need of every server now a days and people trying to protect there server by using different scripts but CSF gives all in one solution. The tools available for the implementing are either over-complex, not user friendly, or simply aren’t as effective as they could be. So that is the reason CSF developed.

You can see the features on following site.

http://www.configserver.com/cp/csf.html

1) Download CSF


[root@server1 ~]# cd /usr/src
[root@server1 src]# wget http://www.configserver.com/free/csf.tgz

2) Install CSF


[root@server1 src]# tar zxvf csf.tgz
[root@server1 csf]# cd csf
[root@server1 csf]# ./install.sh

It will compile and install csf under /etc/csf/ directory, now we will configure it.

3) Configuration


First run following command that you have all the required iptables modules available for running CSF full. Don’t worry if you cannot run all the features, so long as the script doesn’t report any FATAL errors
[root@server1 csf]# perl /etc/csf/csftest.pl
Testing ip_tables/iptable_filter…OK
Testing ipt_LOG…OK
Testing ipt_multiport/xt_multiport…OK
Testing ipt_REJECT…OK
Testing ipt_state/xt_state…OK
Testing ipt_limit/xt_limit…OK
Testing ipt_recent…OK
Testing ipt_owner…OK
Testing iptable_nat/ipt_REDIRECT…OK

RESULT: csf should function on this server

Looks 100% OK.

Now if you are running apf_bfd firewall, it has to be removed for csf works.
[root@server1 csf]# sh /etc/csf/remove_apf_bfd.sh
Removing apf and/or bfd…

/etc/csf/remove_apf_bfd.sh: line 5: apf: command not found
error reading information on service apf: No such file or directory
error reading information on service apf: No such file or directory

…Done

sure i dont use it, so not found.

Now to configure csf config file to implement firewall as per our need.
[root@server1 csf]# vi /etc/csf/csf.conf

The following TAG will run csf in Testing Mode as if we by mistake block ourself out, it will flush all firewall rules in 5 minutes to get us in and fixed it.
TESTING = “1?

We will change it to zero “0? when we finished and sure we have all right rules in.

Put your all ports which you want to be open on your server for incoming traffic seperated by comma.
TCP_IN = “20,21,22,25,53,80,110,143,443,465,587,993,995?

Also open any port you want for outgoing traffic
TCP_OUT = “20,21,22,25,53,80,110,113,443?

Same goes for UDP_IN and UDP_OUT, be remember if you are running DNS service, so you have to open port 53 in UDP_IN as DNS port 53 runs on udp rather than tcp
UDP_IN = “20,21,53?

To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = “20,21,53,113,123,33434:33523?

If you like to people ping your server without any timout than change following value to zero “0? because default value limit ping 1 per second, which may show you ping timeout and you may have impression of that your server is dropping packets.
ICMP_IN_RATE = “0?

SYNFLOOD protection is already enabled and if you want to change the RATE or BURST value you can use following lines to match your traffic.
SYNFLOOD = “0?
SYNFLOOD_RATE = “100/s”
SYNFLOOD_BURST = “150?

currently the RATE is 100/s and BURST can upto 150. This can be varry from server to server.

To protect your server any specific port from DOS attacks, you can define it in PORTFLOOD tag.  This option limits the number of connections per time interval that new connections can be made to specific ports.

By default its empty and i did like to limit 20 connections per 5 sec to port 80 (webserver).
PORTFLOOD = “80;tcp;20;5?

It defines protect port 80 running on protocol tcp, 20 connections per 5 seconds. Use the same for more ports followed by semmi colon ;.

Define email address to which you need to get alerts and define email address to which you want to get.
LF_ALERT_TO = “sohaileo@gmail.com”

LF_ALERT_FROM = “csf@sohailriaz.com”

This will implement firewall more than you need. It has tons of options and you can edit csf.conf for your need.

After this save the file and restart the csf service.
[root@server1 csf]#  /etc/init.d/csf start

Dont scare of large iptables commands running in :)

The CSF will start in Testing mode and now you have to check rules are implement correctly or not and if you have accidently block yourself, wait for 5 minutes and then relogin to fix it.

If you completed with configuation and sure that every rules is implemented correctly then change Testing from 1 to 0 for run CSF permanently.
TESTING = “0?

and restart the service again to activate it.
[root@server1 csf]#  /etc/init.d/csf restart

To allow IP addresses through iptables insert, one IP per line. If want to allow full block use CIDR notation
[root@server1 csf]# vi /etc/csf/csf.allow

192.168.0.1
192.168.1.0/24

These IP should also be define in /etc/csf/csf.ignore to be ignore from lfd daemon from checking.

To deny IP addresses will be allowed through iptables, one IP address per line. If want to deny full block use CIDR notation
[root@server1 csf]# vi /etc/csf/csf.deny

192.168.0.5 #do not delete

The #do not delete option will tell csf to igonore the DENY_IP_LIMIT tag and dont delete ip from this file.

Now you have full feature firewall install and running without any error. The work you have to do now is to re-read /etc/csf/csf.conf file full and check every option it gives and change accordingly to your firewall need. I hope you will now easily edit it and do more with it. If you need any help please comments to benefit for all.

No comments:

Post a Comment