Board index Linux Installation Stuffs

Moderator: chandranjoy

CSF, APF

Postby chandranjoy » Sun Mar 07, 2010 8:08 pm

CSF - Config Server Firewall is a stateful packet inspection firewall,
login/intrusion detection and security application for Linux servers. What
does that mean in English? Simple - it's a program that can greatly
improve your dedicated server or VPS's security.

It's a firewall - so it can block/restrict ports you don't want open, and
prevents someone from using any port they want if they did break in.
It has intrusion detection - so it will scan the log files and monitor
failed login attempts, such as FTP password guessing and block the IP.
Those are the 2 big things I like about CSF - and it has a nice interface
for the non techie person, on cPanel servers.

http://www.configserver.com/cp/csf.html

If you have another firewall installed, like APF, CSF can help you
automatically remove the existing firewall and install theirs instead.
Keep in mind it won't migrate over your configuration.

Installation
Installation is quite straightforward:
Login as the root user to SSH and run the following commands.
Article provided by innovationframes.com
rm -fv csf.tgz
wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh


If you would like to disable APF+BFD (which you will need to do if you have
them installed otherwise they will conflict horribly):
sh disable_apf_bfd.sh


That's it. You can then configure csf and lfd in WHM, or edit the files
directly in/etc/csf/*

Installation Completed

Don't forget to:

1. Configure the TCP_IN, TCP_OUT, UDP_IN and UDP_OUT options in the csf
configuration to suite your server

2. Restart csf and lfd

3. Set TESTING to 0 once you're happy with the firewall

csf is pre-configured to work on a cPanel server with all the standard cPanel
ports open. It also auto-configures your SSH port if it's non-standard on
installation.

You should ensure that kernel logging daemon (klogd) is enabled.
Typically, VPS
servers have this disabled and you should check /etc/init.d/syslog and make
sure that any klogd lines are not commented out. If you change the file,
remember to restart syslog.

Now - login to your cPanel server's WHM as root and go to the bottom left
menu. If already logged in then reload the page. In Plugins - you will
see: ConfigServer Security&Firewall

The firewall is STOPPED by default - it is not running. We need to
configured it, and then take it out of Test Mode.

Click on Firewall Configuration

ETH_DEVICE =: Set this to eth+


TCP_IN/TCP_OUT/UDP_IN/UDP_OUT = : These are the ports you want to leave
open for your server to operate. If you change the default SSH port make
sure to add it here. Also add any other services you might have running
such as Shoutcast or game servers. By default most of the ports used
should already be configured.


MONOLITHIC_KERNEL = : 0 Only change this to 1 if your firewall will not
start - otherwise leave it as it.


LF_DSHIELD = 0: Change this option to 86400. This is an automatic updated
list of known attacking IPs. Enabling this will stop them from being able
to connect to your server.

Spam Protection Alerts
If you want to add some spam protection, CSF can help. Look in the
configuraiton for the following:

LF_SCRIPT_ALERT = 0 change this to1. This will send an email alert to the
system administrator when the limit configured below is reached within an
hour.

LF_SCRIPT_LIMIT = 100 change this to 250. This will alert you when any
scripts sends out 250 email messages in an hour.


Configuration Complete - Almost
Scroll down to the bottom and click on Change to save the settings. Then
click Restart csf+lfd

You should see a big page of ACCEPT and near the bottom you should see:

csf: TESTING mode is enabled - don't forget to disable it in the
configuration
Starting lfd:[ OK ]

Click on Return

Now TEST all your services to make sure everything is working - SSH, FTP,
http. After you do a few quick tests go back into the Firewall
Configuration page.

TESTING = 1 change this to 0 and click Change at the bottom. Then Restart
csf+lfd

That's it, the firewall is successfully installed and running!!
Firewall Status: Running - you should see this on the main CSF page in WHM.


APF (Advanced Policy Firewall)
APF is a policy based iptables firewall system designed for ease of use
and configuration. It employs a subset of features to satisfy the veteran
Linux user and the novice alike. Packaged in tar.gz format and RPM
formats, make APF ideal for deployment in many server environments based
on Linux. APF is developed and maintained by R-fx Networks:
http://www.rfxnetworks.com/apf.php

This guide will show you how to install and configure APF firewall, one of
the better known Linux firewalls available.10

Limit SSH connections to one IP with APF in this advanced tutorial

Requirements:
- Root SSH access to your server

Lets begin!
Login to your server through SSH and su to the root user.

1. cd /root/downloads or another temporary folder where you store your files.

2. wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz

Article provided by Innovationframes.com

3. tar -xvzf apf-current.tar.gz

4. cd apf-0.9.5-1/ or whatever the latest version is.

5. Run the install file: ./install.sh
You will receive a message saying it has been installed

Installing APF 0.9.5-1: Completed.

Installation Details:
Install path: /etc/apf/
Config path: /etc/apf/conf.apf
Executable path: /usr/local/sbin/apf
AntiDos install path: /etc/apf/ad/
AntiDos config path: /etc/apf/ad/conf.antidos
DShield Client Parser: /etc/apf/extras/dshield/


Other Details:
Listening TCP ports:
1,21,22,25,53,80,110,111,143,443,465,993,995,2082,2083,2086,2087,2095,2096,3306
Listening UDP ports: 53,55880
Note: These ports are not auto-configured; they are simply presented for
information purposes. You must manually configure all port options.

6. Lets configure the firewall: pico /etc/apf/conf.apf
We will go over the general configuration to get your firewall running.
This isn't a complete detailed guide of every feature the firewall has.
Look through the README and the configuration for an explanation of each
feature.

We like to use DShield.org's "block" list of top networks that have exhibited
suspicious activity.
FIND: USE_DS="0"
CHANGE TO: USE_DS="1"

7. Configuring Firewall Ports:

Cpanel Servers
We like to use the following on our Cpanel Servers

Common ingress (inbound) ports
# Common ingress (inbound) TCP ports -3000_3500 = passive port range for
Pure FTPD
IG_TCP_CPORTS="21,22,25,53,80,110,143,443,2082,2083, 2086,2087, 2095,
2096,3000_3500"
#
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="53"

Common egress (outbound) ports
# Egress filtering [0 = Disabled / 1 = Enabled]
EGF="1"

# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,25,80,443,43,2089"
#
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53"


Ensim Servers
We have found the following can be used on Ensim Servers - although we
have not tried these ourselves as I don't run Ensim boxes.

Common ingress (inbound) ports
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="21,22,25,53,80,110,143,443,19638"
#
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="53"

Common egress (outbound) ports
# Egress filtering [0 = Disabled / 1 = Enabled]
EGF="1"

# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,25,80,443,43"
#
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53"

Save the changes: Ctrl+X then Y


8. Starting the firewall
/usr/local/sbin/apf -s

Other commands:
usage ./apf [OPTION]
-s|--start ......................... load firewall policies
-r|--restart ....................... flush & load firewall
-f|--flush|--stop .................. flush firewall
-l|--list .......................... list chain rules
-st|--status ....................... firewall status
-a HOST CMT|--allow HOST COMMENT ... add host (IP/FQDN) to
allow_hosts.rules and
immediately load new rule into firewall
-d HOST CMT|--deny HOST COMMENT .... add host (IP/FQDN) to
deny_hosts.rules and immediately load new rule into firewall

9. After everything is fine, change the DEV option
Stop the firewall from automatically clearing itself every 5 minutes from
cron.
We recommend changing this back to "0" after you've had a chance to ensure
everything is working well and tested the server out.

pico /etc/apf/conf.apf

FIND: DEVM="1"
CHANGE TO: DEVM="0"

10. Configure AntiDOS for APF
Relatively new to APF is the new AntiDOS feature which can be found in:
/etc/apf/ad
The log file will be located at /var/log/apfados_log so you might want to
make note of it and watch it!

pico /etc/apf/ad/conf.antidos

There are various things you might want to fiddle with but I'll get the
ones that will alert you by email.

# [E-Mail Alerts]
Under this heading we have the following:

# Organization name to display on outgoing alert emails
CONAME="Your Company"
Enter your company information name or server name..

# Send out user defined attack alerts [0=off,1=on]
USR_ALERT="0"
Change this to 1 to get email alerts

# User for alerts to be mailed to
USR="your@email.com"
Enter your email address to receive the alerts

Save your changes! Ctrl+X then press Y
Restart the firewall: /usr/local/sbin/apf -r

11. Checking the APF Log

Will show any changes to allow and deny hosts among other things.
tail -f /var/log/apf_log

Example output:
Aug 23 01:25:55 ocean apf(31448): (insert) deny all to/from 185.14.157.123
Aug 23 01:39:43 ocean apf(32172): (insert) allow all to/from 185.14.157.123

12. New - Make APF Start automatically at boot time
To autostart apf on reboot, run this:

chkconfig --level 2345 apf on

To remove it from autostart, run this:

chkconfig --del apf

13. Denying IPs with APF Firewall (Blocking)
Now that you have your shiny new firewall you probably want to block a
host right, of course you do! With this new version APF now supports
comments as well. There are a few ways you can block an IP, I'll show you
2 of the easier methods.

A) /etc/apf/apf -d IPHERE COMMENTHERENOSPACES
> The -d flag means DENY the IP address
> IPHERE is the IP address you wish to block
> COMMENTSHERENOSPACES is obvious, add comments to why the IP is being
blocked
These rules are loaded right away into the firewall, so they're instantly
active.
Example:

./apf -d 185.14.157.123 TESTING

pico /etc/apf/deny_hosts.rules

Shows the following:

# added 185.14.157.123 on 08/23/05 01:25:55
# TESTING
185.14.157.123

B) pico /etc/apf/deny_hosts.rules

You can then just add a new line and enter the IP you wish to block.
Before this becomes active though you'll need to reload the APF ruleset.

/etc/apf/apf -r

14. Allowing IPs with APF Firewall (Unblocking)
I know I know, you added an IP now you need it removed right away! You
need to manually remove IPs that are blocked from deny_hosts.rules.
A)
pico /etc/apf/deny_hosts.rules

Find where the IP is listed and remove the line that has the IP.
After this is done save the file and reload apf to make the new changes
active.

/etc/apf/apf -r

B) If the IP isn't already listed in deny_hosts.rules and you wish to
allow it, this method adds the entry to allow_hosts.rules

/etc/apf/apf -a IPHERE COMMENTHERENOSPACES
> The -a flag means ALLOW the IP address
> IPHERE is the IP address you wish to allow
> COMMENTSHERENOSPACES is obvious, add comments to why the IP is being
removed These rules are loaded right away into the firewall, so they're
instantly active.
Example:
./apf -a 185.14.157.123 UNBLOCKING

vi /etc/apf/allow_hosts.rules
# added 185.14.157.123 on 08/23/05 01:39:43
# UNBLOCKING
185.14.157.123
chandranjoy
Site Admin
 
Posts: 283
Joined: Fri Oct 23, 2009 11:19 pm

Return to Installation Stuffs

Who is online

Users browsing this forum: No registered users and 1 guest


cron