There are many things that Linux admins do to try and keep their servers as secure as possible. Adding a good firewall and intrusion detection software package is always a great idea. Also, it will amaze you as to how many bad guys are attempting to get in. There are a few good ones out there, but this article will concentrate on Configserver's CSF/LFD (Configserver firewall / Login Failure Daemon). This tutorial also applies to all popular distributions whether it's Red Hat based (CentOS, Scientific, etc..), Debian (*buntu, ), Arch, etc.. First things first, let's look at what it does. Some of the main features of this software: Lock down your incoming and outgoing tcp/udp ports Easily block IP addresses or IP ranges Block bad guys automatically after x failed login attempts Receive an email when users successfully log into the system A more complete list of features is here. Most of this is set up for you automatically. You will be impressed with how it performs with default settings, though you have control to tweak it to your liking. Installation Ok, so let's get going. SSH into your server and become root. cd into the /usr/src/ directory and grab the installation files. Code: cd /usr/src wget https://download.configserver.com/csf.tgz Next, unpack it using tar with the xzf flags: Code: tar -xzf csf.tgz Once it's finished unpacking, cd into the new csf directory and run the install script: Code: cd csf sh install.sh It will run through the installation and shouldn't take too long. Once it's complete, they recommend running the following script to check for the iptables modules: Code: perl /usr/local/csf/bin/csftest.pl It will probably output something like 'CSF should run fine on your system' when it's complete. Woo, it's installed! Now, let's configure it a little bit. CSF installs into the /etc/csf/ directory, so let's go there and modify some basic settings. Add all of your known IP addresses to CSF's whitelist files. The two files you need to add your IP address(es) to are: Code: /etc/csf/csf.allow /etc/csf/csf.ignore This will make sure you don't get locked out accidently. Add any IPs one at a time, one line each. You can also use CIDR (Classless inter-domain routing) addresses and you can put comments inline. Example: Code: 184.108.40.206 # Joe's house 220.127.116.11/24 # Tom's office Now, let's edit the main configuration file Code: /etc/csf/csf.conf This file is the one that controls how CSF and LFD act on your server. It's fine in it's default form for a lot of people, but we can change a few things for now. Take it out of testing mode by changing: (around line 11 in the csf.conf) Code: TESTING = "1" to: Code: TESTING = "0" Next, let's limit what ports are open for the public. Around line 139 in the csf.conf, include only the ports for which you want the public to connect to. The default line is: Code: TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995" For instance, if you only want the public to be able to hit the web server port, then only leave 80 and 443 open. If you want unknown (non-whitelisted IPs) to be able to hit port 22, then leave that in.. 20, 21 for FTP, etc.. this example shows what it would look like for allowing ssh and httpd from unknown IPs: Code: TCP_IN = "22,80,443" Note: IPs in the /etc/csf.allow file can hit any port regardless of whether it's blocked or not in this configuration Ok, let's restart the firewall and complete the installation! Restart CSF and LFD by typing: Code: csf -r service lfd restart Now, to see it in action, you can tail your system messages file and watch all of the blocking! Red Hat, CentOS, etc..: Code: tail -f /var/log/messages Debian, Ubuntu, etc..: Code: tail -f /var/log/syslog (hit ctrl-c to get out of the tail command) You may not see anything right away, but leave it up for a little bit and you're sure to see some action. Graphical User Interface You don't need the UI (User Interface) to run and configure/tweak CSF, but it may come in handy one day. The good news is that if you're using cpanel or directadmin it's already set up! If you're using webmin, you can set it up (info: https://download.configserver.com/csf/install.txt). If you're not using a GUI on your server, you can still set up the CSF UI if you like. On your server, open up the csf.conf file again and go to around line 1752 (SECTION:Integrated User Interface). Change: Code: UI = "0" to Code: UI = "1" Change: Code: UI_PORT = "6666" to: Code: UI_PORT = "xxxx" (where xxxx = an IP above 1023 and isn't currently being used for something else) Change: Code: UI_USER = "username" to: Code: UI_USER = "any_username" (any name you want, doesn't have to exist on the system) Change: Code: UI_PASS = "password" to: Code: UI_PASS = "anypassword" (pick a good one.. can be anything) You can look at the other settings, but they should be fine. Now, cd into the UI directory: Code: cd /etc/csf/ui Edit the ui.allow file by adding IP addresses that you'd like to connect from. Then save/quit the file. Restart csf/lfd to bring it up: Code: csf -r service restart lfd Now, load up a browser and hit the ip (or hostname) and port of your server for the UI. It uses SSL, so be sure to use https to connect. It would be something like: https://18.104.22.168:6666 Basic command line options You should memorize some of these basic command line options for when you're in a jam. Restart CSF: Code: csf -r Restart LFD: Code: service lfd restart Block an IP address: Code: csf -d xxx.xxx.xxx.xxx Unblock an IP address: Code: csf -dr xxx.xxx.xxx.xxx Add an IP to the csf.allow file: Code: csf -a xxx.xxx.xxx.xxx Show the csf help file: Code: csf -h How'd it go? Let us know in the comments.