Official Power Up Hosting Blog

Everything about Linux, Windows, and hosting ;)

Mayur Chavhan
Author

Mayur Chavhan is a System Administrator professional at Power Up Hosting, an Inbound, System and Technology organization that using articles to prompt for drawing tech-savvy and to help customers.

Share


Our Newsletter


Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

Tags


Twitter


Official Power Up Hosting Blog

How to install and configure CSF for use on Ubuntu 14.04

Mayur ChavhanMayur Chavhan

Computer and internet are pervasive today, security measurement must be heightened to the level where hackers, Malware and thousands of different viruses are playing a dangerous role to damage the sanctity of the internet.

But with the help of Firewalls setup at each associated with the Internet, consequently subjecting all information streaming under cautious observation and that's where CSF comes in handy.

What exactly is "CSF"?

Config Server Firewall, otherwise called CSF and it is a firewall arrangement script made to give better security to your server.

The best security rehearses for keeping your server ensured incorporate a propelled firewall benefit.

While giving you a simple to utilize, propelled interface for dealing with your firewall settings.

What's the main role of CSF in Server?

Think it's like a Sentinel of your server and Its establishment is extremely basic and direct.

CSF arranges your server's firewall to secure free to administrations.

Security is a standout amongst the most imperative things you have to consider on the off chance that you have an online business.

Firewall configuration script improved to offer security to your server while giving you an easy to use, impelled interface for managing your firewall settings.

In comparison between CSF vs UFW, CSF is

alt

Why CSF build with cPanel?

The CSF setup includes board UI accessible by means of WHM, and login failure daemon handle [LFD] that runs occasionally to filter the most recent log document sections for login endeavors that consistently flop inside a brief timeframe.

The daemon process reacts rapidly to such examples of offending listed IP.

In CSF enabled server, Inside cPanel WHM at the base of the menu. Simply tap on the connection and you can likewise alter the firewall settings inside cPanel, which is very easy thing to do.

Now let's begin with this guide

For this instructional exercise, we are utilizing a freshly installed Ubuntu 14.04 VPS.

However, don't stress I have another aide for other Linux dissemination, yet stay with this blog.

Soon I'll share more web journals in coming days.

Let's check and do some pre-required establishment before installation of CSF.

The main thing you have to do is to keep an up to date to the most recent form accessible server. For that reason, you can use below command.

 $ sudo apt-get update && apt-get upgrade -y

Above commands will update and upgrade all packages on your server.

Tip: Don't use "dist-upgrade" it will change the entire Linux distro to another version. Of course, if you already know exactly what you're doing.

In this article, you will learn, How to Install CSF on Ubuntu 14.04.

CSF Installation

Now before installing CSF ensure you have to install the accompanying Perl modules.

These modules are required for stat graphs accessible from the CSF user interface. we need Perl modules which can help CSF to run its modules in the backend.

Install csf Ubuntu commandline

    $ sudo apt-get install liblist-compare-perl

Install CSF is very direct and at ease to access it.

In the first place download latest source file of CSF firewall using below command to download,

  $ sudo wget https://download.configserver.com/csf.tgz

After that extract downloaded a file and if you want you can remove that after extraction.

  $ sudo tar -xvzf csf.tgz && rm csf.tgz

Go into the CSF folder to install,

  $ cd csf/ 

Run "Install.sh" script to install CSF,

  $ sudo ./install.sh

Now, let's verify that if you have essential iptables modules by using below command,

  $ sudo perl /usr/local/csf/bin/csftest.pl

You can see something like this.

Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

RESULT: CSF should function on this server

You have to expel the beforehand firewalls from the server if such exist, else it will hurt CSF in a certain way.

   $ sudo bash /usr/local/csf/bin/remove_apf_bfd.sh

One of the task to check and remove of the firewall is done also don't forget about that sneaky UFW Firewall.

   $ sudo ufw disable
  
   Firewall stopped and disabled on system startup

Go into default directory of csf, Change to csf config file.

   $ cd /etc/csf/

Now inside this directory, All configuration of CSF are here and look at these files later we're going through some of the configuration files to learn what we can do.

r00t@ubuntu14:/etc/csf$ ls

alerts                csf.deny         csf.logfiles      
csf.rblconf           csf.sips         csftest.pl      
license.txt           remove_apf_bfd.sh
changelog.txt         csf.dirwatch     csf.logignore  
csf.redirect          csf.smtpauth     csf.uidignore   
messenger             ui
csf.allow             csf.dyndns       csf.mignore    
csf.resellers         csf.suignore     csfwebmin.tgz  
pt_deleted_action.pl  uninstall.sh
csf.blocklists        csf.fignore      csf.pignore      
csf.rignore           csf.syslogs      install.txt     
readme.txt            version.txt
csf.conf              csf.ignore       csf.pl          
csf.signore           csf.syslogusers  lfd.pl         
regex.custom.pm       webmin

Here are the CSF firewall commands for the installation process.
Edit configuration file to make changes in order to work CSF,

   $ sudo nano csf.conf

Under this configuration, Scroll down and search and make changes to,

     **Testing="1"**  to   **Testing="0"**

Save and close it, It will enable CSF for use.

On the off chance that everything goes as in the guide, We can now begin CSF and LFD services.

    $ sudo service csf start

    $ sudo service lfd start

Output should look like this at the bottom,

 LOCALINPUT all opt -- in !lo out * 0.0.0.0/0 ->           
 0.0.0.0/0 
 LOCALOUTPUT all opt in * out !lo ::/0 -> ::/0 
 LOCALINPUT all opt in !lo out * ::/0 -> ::/0 
  Done

We will examine CSF design records and uses,

At starting of CSF, If you get this following error shown below,

*WARNING* URLGET set to use LWP but Perl module is not    installed, reverting to HTTP:: Tiny

Run the given command to install Perl dependencies so CSF will work effectively,

     $ sudo apt-get install libwww-perl

Take your coffee and You're good to go.

CSF Configuration

Well now, CSF Firewall is ready to protect you from many dangerous attacks but still, we need to set additional rules and configure it so it will work in your favor.

Now you know why it named "Config-server Firewall" cause it still depends on your needs to configure to work properly.

At that point permit movement in and out from existing associations and in the most iptables firewall arrangement is to square everything and after that permit through just those associations that you need.

This is done in iptables by DROPPING all associations all through the server at all.

At that point open ports up in and cordial for both TCP and UDP exclusively.

Allow and Deny IP in Config-server Firewall:

If you need to allow or deny IP address utilizing CLI, these choices as per the following are commonly used:

List out all applied rules are given in CSF by using this,

      $ sudo csf -l

To enable CSF and LFD,

      $ sudo csf -e

You'll see this message at bottom,

Starting lfd: Done
csf and lfd have been enabled

Stop CSF Firewall Service,

      $ sudo csf -x

CSF is stopped, no worries use this

      $ sudo csf -s

For restart

      $ sudo csf -r

To add your IP deliver to a lasting permit list in csf.allow:

      $ sudo csf -a 123.45.67.89

Remove from allow list

        $ sudo csf -ar 123.45.67.89

Add an IP into deny in csf.deny:

      $ sudo csf -d 135.68.91.35

Remove from Deny list,

      $ sudo csf -dr 135.68.91.35

If you want to whitelist an IP, The given value in csf.conf of IGNORE_ALLOW will show as "0" and if you want to change it to "1" and reboot service of CSF.

      $ sudo csf -i 

Locate your input pattern which a coordinate on IP-tables e.g: IP, Port etc.

      $ sudo csf -g 123.45.67.89

Clear or flush blocked list

      $ sudo csf -f 

Update CSF to the latest version,

      $ sudo csf -u
 
csf is already at the latest version: v9.28

Above list is commonly used commands but additionally, there are more commands which can be helpful for you to use and use this help command below,

       $ sudo csf -h

   -h,  --help
          Show this message

   -l,  --status
          List/Show the IPv4 iptables configuration

   -l6, --status6
          List/Show the IPv6 ip6tables configuration

   -s,  --start
          Start the firewall rules

   -f,  --stop
          Flush/Stop firewall rules (Note: lfd may restart csf)

   -r,  --restart
          Restart firewall rules (csf)

   -q,  --startq
          Quick restart (csf restarted by lfd)

   -sf, --startf
          Force CLI restart regardless of LFDSTART setting

   -ra, --restartall
          Restart firewall rules (csf) and then restart lfd daemon.  Both
          csf and then lfd should be restarted after making any changes to
          the configuration files

   --lfd [stop|start|restart|status]
          Actions to take with the lfd daemon

   -a,  --add ip [comment]
          Allow an IP and add to /etc/csf/csf.allow

   -ar, --addrm ip
          Remove an IP from /etc/csf/csf.allow and delete rule

   -d,  --deny ip [comment]
          Deny an IP and add to /etc/csf/csf.deny

   -dr, --denyrm ip
          Unblock an IP and remove from /etc/csf/csf.deny

   -df, --denyf
          Remove and unblock all entries in /etc/csf/csf.deny

   -g,  --grep ip
          Search the iptables and ip6tables rules for a  match  (e.g.  IP,
          CIDR, Port Number)

   -i,  --iplookup ip
          Lookup IP address geographical information using CC_LOOKUPS set-
          ting in /etc/csf/csf.conf

   -t,  --temp
          Displays the current list of temporary allow and deny IP entries
          with their TTL and comment

   -tr, --temprm ip
          Remove an IP from the temporary IP ban or allow list

   -td, --tempdeny ip ttl [-p port] [-d direction] [comment]
          Add an IP to the temp IP ban list. ttl is how long to blocks for
          (default:seconds, can use one suffix of h/m/d).  Optional  port.
          Optional  direction  of  block  can  be one of: in, out or inout
          (default:in)

   -ta, --tempallow ip ttl [-p port] [-d direction] [comment]
          Add an IP to the temp IP allow list (default:inout)

   -tf, --tempf
          Flush all IPs from the temporary IP entries

   -cp, --cping
          PING all members in an lfd Cluster

   -cd, --cdeny ip
          Deny an IP in a Cluster and add to each remote /etc/csf/csf.deny

   -ca, --callow ip
          Allow   an   IP   in   a   Cluster   and   add  to  each  remote
          /etc/csf/csf.allow

   -car, --carm ip
          Remove allowed IP in a  Cluster  and  remove  from  each  remote
          /etc/csf/csf.allow

   -cr, --crm ip
          Unblock  an  IP  in  a  Cluster  and  remove  from  each  remote
          /etc/csf/csf.deny

   -cc, --cconfig [name] [value]
          Change configuration option [name] to [value] in a Cluster

   -cf, --cfile [file]
          Send [file] in a Cluster to /etc/csf/

   -crs, --crestart
          Cluster restart csf and lfd

   -w,  --watch ip
          Log SYN packets for an IP across iptables chains

   -m,  --mail [email]
          Display Server Check in HTML or email to [email] if present

   --rbl [email]
          Process and display RBL Check in HTML or  email  to  [email]  if
          present

   -lr, --logrun
          Initiate Log Scanner report via lfd

   -p, --ports
          View ports on the server that have a running process behind them
          listening for external connections

   --graphs [graph type] [directory]
          Generate System Statistics HTML pages and images for a given graph type into a given directory. See ST_SYSTEM for requirements.

   --profile [command] [profile|backup] [profile|backup]
          Configuration profile functions for /etc/csf/csf.conf
          You can create your own profiles using the examples provided  in
          /usr/local/csf/profiles/
          The  profile  reset_to_defaults.conf  is a special case and will
          always be the latest default csf.conf

          list
          Lists available profiles and backups

          apply [profile]
          Modify csf.conf with Configuration Profile

          backup "name"
          Create Configuration  Backup  with  optional  "name"  stored  in
          /var/lib/csf/backup/

          restore [backup]
          Restore a Configuration Backup

          keep [num]
          Remove old Configuration Backups and keep the latest [num]

          diff [profile|backup] [profile|backup]
          Report  differences between Configuration Profiles or Configura-
          tion Backups, only specify one [profile|backup]  to  compare  to
          the current Configuration

   -c,  --check
          Check for updates to csf but do not upgrade

   -u,  --update
          Check for updates to csf and upgrade if available

   -uf    Force an update of csf whether and upgrade is required or not

   -x,  --disable
          Disable csf and lfd completely

   -e,  --enable
          Enable csf and lfd if previously disabled

   -v,  --version
          Show csf version

Okay now, We learned that how to allow and deny IP's but what about ports?

Well due to lots of option in csf.conf we are just getting started here.

But don't worry I'll guide you through the easiest way possible to configure CSF firewall.

In csf.conf ( /etc/csf/csf.conf ) list of ports specified in TCP IPv4 and IPv6 but for now we'll set this for IPv4 cause most of us are familiar to deal with it.

Also, it's important to know which ports are opened or closed cause it'll affect your operation on a server.

# Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"

# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995"

# Allow incoming UDP ports
UDP_IN = "20,21,53"

# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this   
list
UDP_OUT = "20,21,53,113,123"

Above TCP and UDP ports are allowed a server to communicate using default ports.

When a server starts a service that service defines a port of communication and that is a gateway to communicate to outside world as well as for incoming traffic.

You can check currently on your system which services using which specific ports for communication,

       $ sudo csf -p

Ports listening for external connections and the executables running behind them:

Port/Proto Open Conn  PID/User             Command Line                            Executable
22/tcp     4/6  2     (736/root)           /usr/sbin/sshd -D                       /usr/sbin/sshd
80/tcp     4/6  -     (876/root)           /usr/sbin/apache2 -k start              /usr/sbin/apache2
80/tcp     4/6  -     (878/www-data)       /usr/sbin/apache2 -k start              /usr/sbin/apache2
80/tcp     4/6  -     (879/www-data)       /usr/sbin/apache2 -k start              /usr/sbin/apache2
8009/tcp   -/-  -     (704/tomcat)         /usr/lib/jvm/java-8-oracle/jre/bin/j... /usr/lib/jvm/java-8-oracle/jre/bin/java
8080/tcp   -/-  -     (704/tomcat)         /usr/lib/jvm/java-8-oracle/jre/bin/j... /usr/lib/jvm/java-8-oracle/jre/bin/java

You can set your custom ports on this configuration below list shows you default service ports which are widely used in connection services,

Here are some universal known service ports,

21 -> FTP
22 -> SSH
23 -> Telnet
25 -> SMTP Mail Transfer
43 -> WHOIS service
53 -> NameServer (DNS)
80 -> HTTP (Default Web Server)
110 -> POP protocol (Email Service)
443 -> HTTP Secure (SSL for HTTPS ) 
995 -> POP over SSL/TLS
9999 -> Urchin
3306 -> MysQL Server
2082 -> cPANEL Default
2083 -> cPANEL - (Secure / SSL)
2086 -> cPANEL  WHM
2087 -> cPANEL  WHM - (Secure / SSL)
2095 -> cpanel webmail
2096 -> cpanel webmail - (Secure / SSL)
Plesk Control Panel -> 8443
Direct Admin Control Panel -> 2222
Webmin Control Panel -> 10000 

Advanced configuration to know

ICMP Ping

On the off chance that you are incoming any open administrations.

It is prescribed to permit ICMP asks for, as these can be utilized to figure out if or not your administration is accessible.

ICMP_IN to 1 permits ping to your server and 0 rejects are such demands.

     ICMP_IN="0"

SynFlood

SYNFLOOD security is now empowered and important and in csf.config, it is already set to enable but in the event that you need to change the RATE & BURST so you can utilize taking after lines to coordinate your actions.

     SYNFLOOD = “0”
     SYNFLOOD_RATE = “110/s”
     SYNFLOOD_BURST = “160”

PortFlood

After enabling PORTFLOOD option.

This choice constrains the numbers of associations per time intervening period that new associations can be made to particular ports to shield your server a particular port from DOS assault.

On port 80, I'm allowing 15 connections per 7 second

      PORTFLOOD = “80;tcp;15;7”

Email Alerts

Characterize email deliver to which you have to get cautions and characterize email deliver to which you need to get.

     LF_ALERT_TO = “mayur.c@poweruphosting.com”

     LF_ALERT_FROM = “configserver@poweruphosting.com”

Connection Limit Protection

Limits the number of simultaneous dynamic associations on the port.

Connection limits for multiple ports are separated by a comma.

       CONNLIMIT = "80;15,21;3"

This implies, the most extreme simultaneous associations with port 80 (HTTP) from one IP is 15 and to port 21 (FTP) per IP is 3.

There are a lot setting you can check and configure as you like and there many of them are

You can Uninstall CSF using this command,

       apt-get remove csf -y

Final Conclusion:

CSF offers an extensive variety of settings which are not canvassed in this instructional exercise.

The default settings are designed to counteract most DDOS assaults, Flood attacks, port service scan.

The default qualities are for the most part is great and can be utilized on any server.

We have covered a portion of the many elements that CSF gives.

It is exceptionally valuable and gives a decent security to servers against attacks furthermore gives full control to the setup so that a server can run easily.

To learn and utilize numerous different components of the CSF, Have a look at "Readme.txt" file in the separated folder.

It gives a brief portrayal of the considerable number of elements and how an administrator can utilize it.

Mayur Chavhan
Author

Mayur Chavhan

Mayur Chavhan is a System Administrator professional at Power Up Hosting, an Inbound, System and Technology organization that using articles to prompt for drawing tech-savvy and to help customers.

Comments