Preparing the server
After logging in via SSH (as root!) we will need to download the CSF firewall itself, let's make a temporary directory called "tmp" first and then move into it and download latest version of CSF:
mkdir tmp
cd tmp
wget http://configserver.com/free/csf.tgz
Once CSF is downloaded, we will need to extract the archive containing it and move into the directory it creates:
tar xf csf.tgz
cd csf
We are now ready to install CSF.
Installing CSF on a server with cPanel
CSF includes integration with control panels such as cPanel, in order to install it for a cPanel based server, we would execute the install script that is meant for cPanel.
./install.cpanel.sh
Installing CSF on a server without cPanel
If you do not have cPanel on your server and would still like to install CSF, you can certainly do so. Execute the following command:
./install.sh
Configuring CSF - allowing ports
Configuring your firewall is required for it to function correctly. Let's open the CSF configuration file:
nano /etc/csf/csf.conf
To turn the firewall on, inside the editor, navigate down until you see TESTING="1" and change it to TESTING="0".
All blocks are commented inside (a comment is a line that starts with a #) for you to understand what each section does, for example to add a incoming TCP port to the allow list, we would edit this variable:
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096"
To allow incoming MySQL connections we would add 3306 to the list:
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096,3306"
When you make the changes, hit CTRL+X to exit the editor and press Y when it asks you if you want to overwrite the file.
Don’t forget to:
- Configure the TCP_IN, TCP_OUT, UDP_IN and UDP_OUT options in the csf configuration to suite your server
Restart csf and lfd
Set TESTING to 0 once you’re happy with the firewall
CSF is preconfigured to work on a cPanel server with all the standard cPanel
ports open. It also auto-configures your SSH port if it’s non-standard on
installation.
You should ensure that kernel logging daemon (klogd) is enabled. Typically, VPS
servers have this disabled and you should check /etc/init.d/syslog and make
sure that any klogd lines are not commented out. If you change the file,
remember to restart syslog.
Now – login to your cPanel server’s WHM as root and go to the bottom left menu. If already logged in then reload the page. In Plugins – you will see: ConfigServer Security Firewall
The firewall is STOPPED by default – it is not running. We need to configured it, and then take it out of Test Mode.
Click on Firewall Configuration
ETH_DEVICE =: Set this to eth+
TCP_IN/TCP_OUT/UDP_IN/UDP_OUT = : These are the ports you want to leave open for your server to operate. If you change the default SSH port make sure to add it here. Also add any other services you might have running such as Shoutcast or game servers. By default most of the ports used should already be configured.
MONOLITHIC_KERNEL = : 0 Only change this to 1 if your firewall will not start – otherwise leave it as it.
LF_DSHIELD = 0: Change this option to 86400. This is an automatic updated list of known attacking IPs. Enabling this will stop them from being able to connect to your server.
Spam Protection Alerts
If you want to add some spam protection, CSF can help. Look in the configuraiton for the following:
LF_SCRIPT_ALERT = 0 change this to 1. This will send an email alert to the system administrator when the limit configured below is reached within an hour.
LF_SCRIPT_LIMIT = 100 change this to 250. This will alert you when any scripts sends out 250 email messages in an hour.
Configuration Complete – Almost
Scroll down to the bottom and click on Change to save the settings. Then click Restart csf+lfd
You should see a big page of ACCEPT and near the bottom you should see:
csf: TESTING mode is enabled – don’t forget to disable it in the configuration
Starting lfd:[ OK ]
Click on Return
Now TEST all your services to make sure everything is working – SSH, FTP, http. After you do a few quick tests go back into the Firewall Configuration page.
TESTING = 1 change this to 0 and click Change at the bottom. Then Restart csf+lfd
That’s it, the firewall is successfully installed and running!!
Firewall Status: Running – you should see this on the main CSF page in WHM.
Uninstallation
Removing csf and lfd is even more simple:
cd /etc/csf
sh uninstall.sh
No comments:
Post a Comment