Feb 132012
 

From diademblogs.com

Config Server Firewall (csf) and Login Failure Daemon (lfd) is a robust firewall solution having Stateful Packet Inspection (SPI), Login/Intrusion Detection and Security application for Linux servers. Although it is more compatible with CPanel we have been able to use the same for the Plesk hosting control panel also and it is running fine. Please visit the below link for more information.
From http://www.configserver.com

I have listed the installation steps for CSF / LFD.Login to your server with ‘root’ user and issue below commands :
Change directory to either /root or /usr/local/src , which ever you normally use for such installations

 cd /usr/local/src

[Remove any old source that might be present]

Download and untar the source for installation

 wget http://www.configserver.com/free/csf.tgz<br />
 tar -xzf csf.tgz

Run installation script

 cd csf<br />
 sh install.sh

Once the installation complete, you can run the below scripts provided by vendor to check if your server/vps has required iptables modules available :

 perl /etc/csf/csftest.pl

CSF provides the script to remove the other popular combination I talked about above i.e. apf/bfd, The below script will remove apf/bfd from your server/vps.

 sh /etc/csf/remove_apf_bfd.sh

Common setting for incoming/outgoing TCP/IP and UDP connection.

ETH_DEVICE = “eth1?<br />
ETH_DEVICE_SKIP = “eth0?<br />
# Allow incoming TCP ports<br />
TCP_IN = “20,21,25,53,80,106,110,111,143,443,465,587,865,873,993,995,8443,8880?<br />
# Allow outgoing TCP ports<br />
TCP_OUT = “20,21,22,25,80,110,443,43,873,8443?<br />
# Allow incoming UDP ports<br />
UDP_IN = “53,111,123,230,631,859,862,2109,5353?<br />
# Allow outgoing UDP ports<br />
# To allow outgoing traceroute add 33434:33523 to this list<br />
UDP_OUT = “20,21,53,113,123,2109?<br />
# Allow incoming PING<br />
ICMP_IN = “1?<br />
# Set the per IP address incoming ICMP packet rate<br />
# To disable rate limiting set to “0?<br />
ICMP_IN_RATE = “0?<br />
# Allow outgoing PING<br />
ICMP_OUT = “1?<br />
# Set the per IP address outgoing ICMP packet rate<br />
# To disable rate limiting set to “0?<br />
ICMP_OUT_RATE = “0?<br />
# Enable login failure detection daemon (lfd).<br />
LF_DAEMON = “1?

For allowing Qmail in CSF alter below setting(s)

SMTP_BLOCK = “1?<br />
SMTP_ALLOWLOCAL = “1?<br />
SMTP_PORTS = “25,587?<br />
SMTP_ALLOWUSER = “qmaild,qmaill,qmailp,qmailq,qmailr,qmails”<br />
SMTP_ALLOWGROUP = “qmail,nofiles,mail,mailman”

Set CSF/LFD reporting FROM/TO ID as below [**** Need to set for Plesk]

LF_ALERT_TO = [email protected]<br />
LF_ALERT_FROM = [email protected]

Allowing third party block list checking

# Enable IP range blocking using the DShield Block List at<br />
LF_DSHIELD = “86400?<br />
# Enable IP range blocking using the Spamhaus DROP List at<br />
LF_SPAMHAUS = “86400?<br />
# Enable IP range blocking using the BOGON List at<br />
LF_BOGON = “86400?

Now Add the LFD ignore list for qmail/plesk mail user/process in csf.pignore file.

# vim /etc/csf/csf.pignore<br />
#### Custom for Plesk ####<br />
user:admin<br />
exe:/var/qmail/bin/qmail-smtpd<br />
exe:/usr/bin/imapd<br />
exe:/var/qmail/bin/qmail-queue<br />
exe:/usr/bin/pop3d<br />
exe:/var/qmail/bin/qmail-send<br />
cmd:qmail-send<br />
cmd:/usr/bin/pop3d Maildir<br />
cmd:/var/qmail/bin/qmail-queue<br />
cmd:/var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true<br />
cmd:/usr/bin/imapd Maildir<br />
exe:/var/qmail/bin/qmail-rspawn<br />
cmd:qmail-rspawn<br />
exe:/var/qmail/bin/qmail-clean<br />
cmd:qmail-clean<br />
exe:/usr/sbin/clamd<br />
cmd:clamd<br />
exe:/var/qmail/bin/splogger<br />
cmd:splogger qmail<br />
exe:/var/qmail/bin/qmail-remote.moved<br />
user:qmaill<br />
user:popuser<br />
user:qmaild<br />
user:qmails<br />
user:qmailr<br />
user:qmailq<br />
user:qscand<br />
exe:/usr/sbin/avahi-daemon<br />
user:avahi<br />
exe:/usr/local/sbin/zabbix_agentd<br />
cmd:/usr/local/sbin/zabbix_agentd<br />
user:zabbix<br />
exe:/usr/bin/sw-engine-cgi<br />
cmd:/usr/bin/sw-engine-cgi<br />
user:sso<br />
exe:/usr/sbin/sw-cp-serverd<br />
cmd:/usr/sbin/sw-cp-serverd -f /etc/sw-cp-server/config<br />
user:sw-cp-server<br />
exe:/usr/bin/sw-engine-cgi<br />
cmd:/usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini -d auto_prepend_file=auth.php3 -u psaadm<br />
user:psaadm<br />
exe:/usr/libexec/mysqld<br />
cmd:/usr/libexec/mysqld –basedir=/usr –datadir=/var/lib/mysql –user=mysql –pid-file=/var/run/mysqld/mysqld.pid –skip-external-locking –socket=/var/lib/mysql/mysql.sock<br />
user:mysql<br />
exe:/usr/libexec/hald-addon-acpi<br />
exe:/usr/sbin/hald<br />
cmd:hald<br />
user:haldaemon<br />
exe:/usr/bin/postgres<br />
user:postgres<br />
exe:/sbin/portmap<br />
cmd:portmap<br />
user:rpc<br />
exe:/usr/bin/xfs<br />
cmd:xfs -droppriv -daemon<br />
user:xfs<br />
exe:/usr/bin/python<br />
cmd:/usr/bin/python /usr/lib/mailman/bin/qrunner –runner=VirginRunner:0:1 -s<br />
user:mailman<br />
exe:/usr/java/jdk1.6.0_20/bin/java<br />
user:tomcat

Note: You may need to add few more process/user as per your requirement.

To start CSF

 csf -s

Restart LFD

 service lfd restart

Installation is done, now check the website, mail and other services(s) and disable TESTING mode and restart CSF/LFD

 csf -r<br />
 service lfd restart

I will list below some of very common commands you will need to use/manage csf firewall :

Enabling the firewall

 csf –enable OR<br />
 csf -e

Disabling the firewall

 csf –disable<br />
 csf -x

Starting firewall / applying rules

 csf –start<br />
 csf -s

Stopping firewall / flushing rules

 csf –stop<br />
 csf -f

Adding an IP in firewall

 csf -d 2.3.4.5 “Reason for blocking the IP”<br />
 csf –deny 2.3.4.5 “Reason for blocking the IP”

where 2.3.4.5 is the IP you want to block.

Removing IP from deny list

 csf -dr 2.3.4.5

From diademblogs.com

Share This!
 Posted by at 7:19 am

Sorry, the comment form is closed at this time.