CSF or fully known as Cofing Server Firewall is a free firewall commonly used on Linux servers today.
CSF has all the features a firewall needs. Here are a few standout features:
- Check and notify failed login for ssh, pop3/ima, smtp, ftp
- Report vulnerabilities on the server.
- Monitor suspicious files and directories, notify if a file or directory changes
- Against SYN Flood and Ping of death
- Monitor access to gateways and block connection attacks
Install CSF
Preparation: you need to prepare a brand new server that has just installed Ubuntu. Log in with the root account.
By default Ubuntu 16.04 uses the UFW firewall, you need to disable it before installing CSF.
|
1
|
ufw disable
|
If the command says ufw command not found, the Ubuntu version running on the server does not have UFW. Then the better.
CSF is not available in the Ubuntu repositories so you have to download it first:
|
1
|
wget http://download.configserver.com/csf.tgz
|
Decompression:
|
1
|
tar –xvzf csf.tgz
|
Move into the csf directory and run the install command:
|
1
2
|
cd csf
bash install.sh
|
You will see the following message after successful installation:
As soon as CSF installs successfully, you need to check if the necessary firewall modules are ready:
|
1
|
perl /usr/local/csf/bin/csftest.pl
|
Everything OK you should see the following:
Configure CSF
The CSF configuration file csf.conf is located in the /etc/csf directory .
You open the file with the Nano editor:
|
1
|
nano /etc/csf/csf.conf
|
Change the TCP_IN, TCP_OUT, UDP_IN, UDP_OUT section as you like. TESTING you change to 0 to enable CSF.
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
#Enable CSF
TESTING = “0”
# Allow incoming TCP ports
TCP_IN = “20,21,22,25,53,80,110,143,443,465,587,993,995”
# Allow outgoing TCP ports
TCP_OUT = “20,21,22,25,53,80,110,113,443,587,993,995”
# Allow incoming UDP ports
UDP_IN = “20,21,53”
# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = “20,21,53,113,123”
# Allow incoming PING
ICMP_IN = “1”
# Set the per IP address incoming ICMP packet rate
# To disable rate limiting set to “0”
ICMP_IN_RATE = “1/s”
# Allow outgoing PING
ICMP_OUT = “1”
|
The meanings of the ports are as follows:
- Port 20: FTP data transfer
- Port 21: FTP control
- Port 22: Secure shell (SSH)
- Port 25: Simple mail transfer protocol (SMTP)
- Port 53: Domain name system (DNS)
- Port 80: Hypertext transfer protocol (HTTP)
- Port 110: Post office protocol v3 (POP3)
- Port 113: Authentication service/identification protocol
- Port 123: Network time protocol (NTP)
- Port 143: Internet message access protocol (IMAP)
- Port 443: Hypertext transfer protocol over SSL/TLS (HTTPS)
- Port 465: URL Rendesvous Directory for SSM (Cisco)
- Port 587: E-mail message submission (SMTP)
- Port 993: Internet message access protocol over SSL (IMAPS)
- Port 995: Post office protocol 3 over TLS/SSL (POP3S)
Save the file then reload the CSF with the following command:
|
1
|
csf –r
|
Start CSF with the following command:
|
1
|
csf –s
|
Disable the firewall with the command
|
1
|
csf –x
|
Enable the firewall with the following command:
|
1
|
csf –e
|
Allow and block IP addresses
There are 2 ways to allow and block IP addresses. Method 1: edit the configuration files csf.allow and csf.deny. Method 2 run the command.
If you want to allow the IP address to open the csf.allow file with nano as follows:
|
1
|
nano /etc/csf/csf.allow
|
Add the IP address you want to the bottom of the file.
Or you use the following command to add the IP address:
|
1
|
csf –a 192.168.15.12
|
Same for the IP address lock, open the csf.deny file or run the following command:
|
1
|
csf –d 192.168.15.0/24
|
You can omit the IP address from the firewall filter by editing the csf.ignore file:
|
1
|
nano /etc/csf/csf.ignore
|
Advanced CSF Configuration
You can configure CSF to prevent denial of service (DDOS) attacks.
Open the csf configuration file:
|
1
|
nano /etc/csf/csf.conf
|
Edit the fields like below:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
#Total number of connections allowed from the single host. All IPs with more than 50 connections will be blocked.
CT_LIMIT = “50”
#Block IPs permanent
CT_PERMANENT = 1
#Block IPs for 600 seconds
CT_BLOCK_TIME = 600
#To set the connection limits for multiple ports. The maximum concurrent connections to port 80 and 22 from single IP is 15.
CONNLIMIT = “80;15,22;15”
#The number of connections to port 80 exceeds 30 in five seconds, all the new connections will be blocked.
PORTFLOOD = “80;tcp;30;5”
|
Finally reload the firewall with the command like below:
|
1
|
csf –r
|
At this point you have installed and configured CSF for the server.
With CSF, you can safely develop your website without worrying about the server being attacked.
