Purchase Linux CDs / DVDs / Flash Drives at OSDisc.com

Welcome to Our Community

While Linux.org has been around for a while, we recently changed management and had to purge most of the content (including users). If you signed up before April 23rd please sign up again. Thanks!

Install CSF/LFD to help secure your Linux server

Discussion in 'Linux Other' started by Rob, May 10, 2017.

  1. Rob

    Rob Administrator
    Staff Member

    Joined:
    Oct 27, 2011
    Messages:
    168
    Likes Received:
    449
    There are many things that Linux admins do to try and keep their servers as secure as possible. Adding a good firewall and intrusion detection software package is always a great idea. Also, it will amaze you as to how many bad guys are attempting to get in.

    There are a few good ones out there, but this article will concentrate on Configserver's CSF/LFD (Configserver firewall / Login Failure Daemon). This tutorial also applies to all popular distributions whether it's Red Hat based (CentOS, Scientific, etc..), Debian (*buntu, ), Arch, etc..

    First things first, let's look at what it does.

    Some of the main features of this software:
    • Lock down your incoming and outgoing tcp/udp ports
    • Easily block IP addresses or IP ranges
    • Block bad guys automatically after x failed login attempts
    • Receive an email when users successfully log into the system

    A more complete list of features is here. Most of this is set up for you automatically. You will be impressed with how it performs with default settings, though you have control to tweak it to your liking.

    Installation
    Ok, so let's get going. SSH into your server and become root. cd into the /usr/src/ directory and grab the installation files.

    Code:
    cd /usr/src
    wget https://download.configserver.com/csf.tgz
    Next, unpack it using tar with the xzf flags:
    Code:
    tar -xzf csf.tgz
    Once it's finished unpacking, cd into the new csf directory and run the install script:

    Code:
    cd csf
    sh install.sh
    It will run through the installation and shouldn't take too long. Once it's complete, they recommend running the following script to check for the iptables modules:

    Code:
    perl /usr/local/csf/bin/csftest.pl
    It will probably output something like 'CSF should run fine on your system' when it's complete.

    Woo, it's installed! Now, let's configure it a little bit.

    CSF installs into the /etc/csf/ directory, so let's go there and modify some basic settings.

    Add all of your known IP addresses to CSF's whitelist files. The two files you need to add your IP address(es) to are:
    Code:
    /etc/csf/csf.allow
    /etc/csf/csf.ignore
    This will make sure you don't get locked out accidently. Add any IPs one at a time, one line each. You can also use CIDR (Classless inter-domain routing) addresses and you can put comments inline.



    Example:
    Code:
    111.222.111.222 # Joe's house
    111.111.222.0/24 # Tom's office
    Now, let's edit the main configuration file
    Code:
    /etc/csf/csf.conf
    This file is the one that controls how CSF and LFD act on your server. It's fine in it's default form for a lot of people, but we can change a few things for now.

    Take it out of testing mode by changing:
    (around line 11 in the csf.conf)
    Code:
    TESTING = "1"
    to:
    Code:
    TESTING = "0"
    Next, let's limit what ports are open for the public. Around line 139 in the csf.conf, include only the ports for which you want the public to connect to. The default line is:

    Code:
    TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"
    For instance, if you only want the public to be able to hit the web server port, then only leave 80 and 443 open. If you want unknown (non-whitelisted IPs) to be able to hit port 22, then leave that in.. 20, 21 for FTP, etc.. this example shows what it would look like for allowing ssh and httpd from unknown IPs:
    Code:
    TCP_IN = "22,80,443"
    Note: IPs in the /etc/csf.allow file can hit any port regardless of whether it's blocked or not in this configuration

    Ok, let's restart the firewall and complete the installation! Restart CSF and LFD by typing:
    Code:
    csf -r
    service lfd restart
    Now, to see it in action, you can tail your system messages file and watch all of the blocking!
    Red Hat, CentOS, etc..:
    Code:
    tail -f /var/log/messages
    Debian, Ubuntu, etc..:
    Code:
    tail -f /var/log/syslog
    (hit ctrl-c to get out of the tail command)

    You may not see anything right away, but leave it up for a little bit and you're sure to see some action.

    Graphical User Interface
    You don't need the UI (User Interface) to run and configure/tweak CSF, but it may come in handy one day. The good news is that if you're using cpanel or directadmin it's already set up! If you're using webmin, you can set it up (info: https://download.configserver.com/csf/install.txt). If you're not using a GUI on your server, you can still set up the CSF UI if you like.

    On your server, open up the csf.conf file again and go to around line 1752 (SECTION:Integrated User Interface).

    Change:
    Code:
    UI = "0"
    to
    Code:
    UI = "1"
    Change:
    Code:
    UI_PORT = "6666"
    to:
    Code:
    UI_PORT = "xxxx"
    (where xxxx = an IP above 1023 and isn't currently being used for something else)

    Change:
    Code:
    UI_USER = "username"
    to:
    Code:
    UI_USER = "any_username"
    (any name you want, doesn't have to exist on the system)

    Change:
    Code:
    UI_PASS = "password"
    to:
    Code:
    UI_PASS = "anypassword"
    (pick a good one.. can be anything)

    You can look at the other settings, but they should be fine. Now, cd into the UI directory:
    Code:
    cd /etc/csf/ui
    Edit the ui.allow file by adding IP addresses that you'd like to connect from. Then save/quit the file.

    Restart csf/lfd to bring it up:
    Code:
    csf -r
    service restart lfd
    Now, load up a browser and hit the ip (or hostname) and port of your server for the UI. It uses SSL, so be sure to use https to connect. It would be something like: https://111.222.111.222:6666

    Basic command line options
    You should memorize some of these basic command line options for when you're in a jam.

    Restart CSF:
    Code:
    csf -r
    Restart LFD:
    Code:
    service lfd restart
    Block an IP address:
    Code:
    csf -d xxx.xxx.xxx.xxx
    Unblock an IP address:
    Code:
    csf -dr xxx.xxx.xxx.xxx
    Add an IP to the csf.allow file:
    Code:
    csf -a xxx.xxx.xxx.xxx
    Show the csf help file:
    Code:
    csf -h
    How'd it go? Let us know in the comments.
     

    Attached Files:

Share This Page