Board index Linux Installation Stuffs

Moderator: chandranjoy


Postby chandranjoy » Sun Mar 07, 2010 8:08 pm

CSF - Config Server Firewall is a stateful packet inspection firewall,
login/intrusion detection and security application for Linux servers. What
does that mean in English? Simple - it's a program that can greatly
improve your dedicated server or VPS's security.

It's a firewall - so it can block/restrict ports you don't want open, and
prevents someone from using any port they want if they did break in.
It has intrusion detection - so it will scan the log files and monitor
failed login attempts, such as FTP password guessing and block the IP.
Those are the 2 big things I like about CSF - and it has a nice interface
for the non techie person, on cPanel servers.

If you have another firewall installed, like APF, CSF can help you
automatically remove the existing firewall and install theirs instead.
Keep in mind it won't migrate over your configuration.

Installation is quite straightforward:
Login as the root user to SSH and run the following commands.
Article provided by
rm -fv csf.tgz
tar -xzf csf.tgz
cd csf

If you would like to disable APF+BFD (which you will need to do if you have
them installed otherwise they will conflict horribly):

That's it. You can then configure csf and lfd in WHM, or edit the files
directly in/etc/csf/*

Installation Completed

Don't forget to:

1. Configure the TCP_IN, TCP_OUT, UDP_IN and UDP_OUT options in the csf
configuration to suite your server

2. Restart csf and lfd

3. Set TESTING to 0 once you're happy with the firewall

csf is pre-configured to work on a cPanel server with all the standard cPanel
ports open. It also auto-configures your SSH port if it's non-standard on

You should ensure that kernel logging daemon (klogd) is enabled.
Typically, VPS
servers have this disabled and you should check /etc/init.d/syslog and make
sure that any klogd lines are not commented out. If you change the file,
remember to restart syslog.

Now - login to your cPanel server's WHM as root and go to the bottom left
menu. If already logged in then reload the page. In Plugins - you will
see: ConfigServer Security&Firewall

The firewall is STOPPED by default - it is not running. We need to
configured it, and then take it out of Test Mode.

Click on Firewall Configuration

ETH_DEVICE =: Set this to eth+

TCP_IN/TCP_OUT/UDP_IN/UDP_OUT = : These are the ports you want to leave
open for your server to operate. If you change the default SSH port make
sure to add it here. Also add any other services you might have running
such as Shoutcast or game servers. By default most of the ports used
should already be configured.

MONOLITHIC_KERNEL = : 0 Only change this to 1 if your firewall will not
start - otherwise leave it as it.

LF_DSHIELD = 0: Change this option to 86400. This is an automatic updated
list of known attacking IPs. Enabling this will stop them from being able
to connect to your server.

Spam Protection Alerts
If you want to add some spam protection, CSF can help. Look in the
configuraiton for the following:

LF_SCRIPT_ALERT = 0 change this to1. This will send an email alert to the
system administrator when the limit configured below is reached within an

LF_SCRIPT_LIMIT = 100 change this to 250. This will alert you when any
scripts sends out 250 email messages in an hour.

Configuration Complete - Almost
Scroll down to the bottom and click on Change to save the settings. Then
click Restart csf+lfd

You should see a big page of ACCEPT and near the bottom you should see:

csf: TESTING mode is enabled - don't forget to disable it in the
Starting lfd:[ OK ]

Click on Return

Now TEST all your services to make sure everything is working - SSH, FTP,
http. After you do a few quick tests go back into the Firewall
Configuration page.

TESTING = 1 change this to 0 and click Change at the bottom. Then Restart

That's it, the firewall is successfully installed and running!!
Firewall Status: Running - you should see this on the main CSF page in WHM.

APF (Advanced Policy Firewall)
APF is a policy based iptables firewall system designed for ease of use
and configuration. It employs a subset of features to satisfy the veteran
Linux user and the novice alike. Packaged in tar.gz format and RPM
formats, make APF ideal for deployment in many server environments based
on Linux. APF is developed and maintained by R-fx Networks:

This guide will show you how to install and configure APF firewall, one of
the better known Linux firewalls available.10

Limit SSH connections to one IP with APF in this advanced tutorial

- Root SSH access to your server

Lets begin!
Login to your server through SSH and su to the root user.

1. cd /root/downloads or another temporary folder where you store your files.

2. wget

Article provided by

3. tar -xvzf apf-current.tar.gz

4. cd apf-0.9.5-1/ or whatever the latest version is.

5. Run the install file: ./
You will receive a message saying it has been installed

Installing APF 0.9.5-1: Completed.

Installation Details:
Install path: /etc/apf/
Config path: /etc/apf/conf.apf
Executable path: /usr/local/sbin/apf
AntiDos install path: /etc/apf/ad/
AntiDos config path: /etc/apf/ad/conf.antidos
DShield Client Parser: /etc/apf/extras/dshield/

Other Details:
Listening TCP ports:
Listening UDP ports: 53,55880
Note: These ports are not auto-configured; they are simply presented for
information purposes. You must manually configure all port options.

6. Lets configure the firewall: pico /etc/apf/conf.apf
We will go over the general configuration to get your firewall running.
This isn't a complete detailed guide of every feature the firewall has.
Look through the README and the configuration for an explanation of each

We like to use's "block" list of top networks that have exhibited
suspicious activity.

7. Configuring Firewall Ports:

Cpanel Servers
We like to use the following on our Cpanel Servers

Common ingress (inbound) ports
# Common ingress (inbound) TCP ports -3000_3500 = passive port range for
IG_TCP_CPORTS="21,22,25,53,80,110,143,443,2082,2083, 2086,2087, 2095,
# Common ingress (inbound) UDP ports

Common egress (outbound) ports
# Egress filtering [0 = Disabled / 1 = Enabled]

# Common egress (outbound) TCP ports
# Common egress (outbound) UDP ports

Ensim Servers
We have found the following can be used on Ensim Servers - although we
have not tried these ourselves as I don't run Ensim boxes.

Common ingress (inbound) ports
# Common ingress (inbound) TCP ports
# Common ingress (inbound) UDP ports

Common egress (outbound) ports
# Egress filtering [0 = Disabled / 1 = Enabled]

# Common egress (outbound) TCP ports
# Common egress (outbound) UDP ports

Save the changes: Ctrl+X then Y

8. Starting the firewall
/usr/local/sbin/apf -s

Other commands:
usage ./apf [OPTION]
-s|--start ......................... load firewall policies
-r|--restart ....................... flush & load firewall
-f|--flush|--stop .................. flush firewall
-l|--list .......................... list chain rules
-st|--status ....................... firewall status
-a HOST CMT|--allow HOST COMMENT ... add host (IP/FQDN) to
allow_hosts.rules and
immediately load new rule into firewall
-d HOST CMT|--deny HOST COMMENT .... add host (IP/FQDN) to
deny_hosts.rules and immediately load new rule into firewall

9. After everything is fine, change the DEV option
Stop the firewall from automatically clearing itself every 5 minutes from
We recommend changing this back to "0" after you've had a chance to ensure
everything is working well and tested the server out.

pico /etc/apf/conf.apf


10. Configure AntiDOS for APF
Relatively new to APF is the new AntiDOS feature which can be found in:
The log file will be located at /var/log/apfados_log so you might want to
make note of it and watch it!

pico /etc/apf/ad/conf.antidos

There are various things you might want to fiddle with but I'll get the
ones that will alert you by email.

# [E-Mail Alerts]
Under this heading we have the following:

# Organization name to display on outgoing alert emails
CONAME="Your Company"
Enter your company information name or server name..

# Send out user defined attack alerts [0=off,1=on]
Change this to 1 to get email alerts

# User for alerts to be mailed to
Enter your email address to receive the alerts

Save your changes! Ctrl+X then press Y
Restart the firewall: /usr/local/sbin/apf -r

11. Checking the APF Log

Will show any changes to allow and deny hosts among other things.
tail -f /var/log/apf_log

Example output:
Aug 23 01:25:55 ocean apf(31448): (insert) deny all to/from
Aug 23 01:39:43 ocean apf(32172): (insert) allow all to/from

12. New - Make APF Start automatically at boot time
To autostart apf on reboot, run this:

chkconfig --level 2345 apf on

To remove it from autostart, run this:

chkconfig --del apf

13. Denying IPs with APF Firewall (Blocking)
Now that you have your shiny new firewall you probably want to block a
host right, of course you do! With this new version APF now supports
comments as well. There are a few ways you can block an IP, I'll show you
2 of the easier methods.

> The -d flag means DENY the IP address
> IPHERE is the IP address you wish to block
> COMMENTSHERENOSPACES is obvious, add comments to why the IP is being
These rules are loaded right away into the firewall, so they're instantly

./apf -d TESTING

pico /etc/apf/deny_hosts.rules

Shows the following:

# added on 08/23/05 01:25:55

B) pico /etc/apf/deny_hosts.rules

You can then just add a new line and enter the IP you wish to block.
Before this becomes active though you'll need to reload the APF ruleset.

/etc/apf/apf -r

14. Allowing IPs with APF Firewall (Unblocking)
I know I know, you added an IP now you need it removed right away! You
need to manually remove IPs that are blocked from deny_hosts.rules.
pico /etc/apf/deny_hosts.rules

Find where the IP is listed and remove the line that has the IP.
After this is done save the file and reload apf to make the new changes

/etc/apf/apf -r

B) If the IP isn't already listed in deny_hosts.rules and you wish to
allow it, this method adds the entry to allow_hosts.rules

> The -a flag means ALLOW the IP address
> IPHERE is the IP address you wish to allow
> COMMENTSHERENOSPACES is obvious, add comments to why the IP is being
removed These rules are loaded right away into the firewall, so they're
instantly active.

vi /etc/apf/allow_hosts.rules
# added on 08/23/05 01:39:43
Site Admin
Posts: 283
Joined: Fri Oct 23, 2009 11:19 pm

Return to Installation Stuffs

Who is online

Users browsing this forum: No registered users and 1 guest