Config Server Firewall. Đặng Thanh Bình

Transcription

1 Config Server Firewall Đặng Thanh Bình

2 Contents Introduction Features Installation Basic CSF commands Advanced Configuration 2

3 INTRODUCTION

4 Intro Config Server Firewall (CSF) is a free and advanced firewall for most Linux distros and Linux VPS. In addition to the basic functionality of a firewall filtering packets CSF includes other security features, such as login/intrusion/flood detections UI integration for cpanel, DirectAdmin and Webmin 4

5 Intro Recognize many attacks: port scans, SYN floods, and login brute force attacks on many services Temporarily block clients who are detected to be attacking the cloud server. 5

6 Notes This tutorial covers IPv4 security. In Linux, IPv6 security is maintained separately from IPv4 For example "iptables" only maintains firewall rules for IPv4 addresses "ip6tables" can be used to maintain firewall rules for IPv6 network addresses. 6

7 FEATURES

8 1.Login auth. failure daemon CSF checks the logs for failed login attempts at regular time interval Recognize most unauthorized attempts to gain access to your cloud server You can define the desired action CSF takes and after how many attempts in the configuration file. 8

9 1.Login auth. failure daemon The following applications are supported by this feature: Courier imap, Dovecot, uw-imap, Kerio openssh cpanel, WHM, Webmail (cpanel servers only) Pure-ftpd, vsftpd, Proftpd Password protected web pages (htpasswd) Mod_security failures (v1 and v2) Suhosin failures Exim SMTP AUTH 9

10 1.Login auth. failure daemon In addition to these, you are able define your own login files with regular expression matching. This can be helpful if you have an application which logs failed logins, but does block the user after specific number of attempts. 10

11 2.Process tracking CSF can be configured to track processes in order to detect suspicious processes or open network ports send an to the system administrator if any is detected. This may help you to identify and stop a possible exploit on your VPS. 11

12 3.Directory watching Directory watching monitors the /temp and other relevant folders for malicious scripts, and sends an to the system administrator when one is detected. 12

13 4.Messenger service Enabling this feature allows CSF to send a more informative message to the client when a block is applied This feature has both pros and cons. provides more information to the client, and thus may cause less frustration for instance in case of failed logins. provides more information, which might make it easier for an attacker to attack your VPS. 13

14 5.Port flood protection This setting provides protection against port flood attacks, such as DoS attacks You may specify the amount of allowed connections on each port within time period of your liking Enabling this feature is recommended Too restrictive settings will drop connections from normal clients Too permissive settings may allow an attacker to succeed in a flood attack. 14

15 6.Port knocking Port knocking allows clients to establish connections a server with no ports open The server allows clients connect to the main ports only after a successful port knock sequence You may find this useful if you offer services which are available to only limited audience. 15

16 7.Port/IP address redirection CSF can be configured to redirect connections to an IP/port to another IP/port. Note: After redirection, the source address of the client will be the server's IP address. This is not an equivalent to network address translation (NAT). 16

17 8.IP block lists This feature allows CSF to download lists of blocked IP addresses automatically from sources defined by you. 17

18 INSTALLATION

19 Step 1: Install Dependencies CSF is based on Perl, so you need to install Perl on our server first You also need wget to download the CSF installer and vim for editing the CSF configuration file. yum install wget vim perl libwww perl.noarch perl Time HiRes 19

20 Step 2: Install CSF Download cd /usr/src/ wget Extract the tar.gz file and go to csf directory, then install it: tar xzf csf.tgz cd csf sh install.sh 20

21 Step 2: Install CSF Completed info 21

22 Step 2: Install CSF Now you should check that CSF really works on this server. Go to the "/usr/local/csf/bin/" directory, and run "csftest.pl". cd /usr/local/csf/bin/ perl csftest.pl If you see the test results as shown below, then CSF is running without problems on your server: RESULT: csf should function on this server 22

23 Step 2: Install CSF 23

24 Step 3 - Configure CSF You have to stop firewalld or the current firewall and remove it from the startup. systemctl stop firewalld systemctl disable firewalld Then go to the CSF Configuration directory "/etc/csf/" and edit the file "csf.conf" with the vim editor: cd /etc/csf/ vim csf.conf Change line 11 "TESTING " to "0" for applying the firewall configuration. TESTING = "0" 24

25 Step 3 - Configure CSF By default CSF allows SSH standard port 22, if you use a different SSH port, add your port to the configuration in line 139 "TCP_IN". Now start CSF and LFD with systemctl command: systemctl start csf systemctl start lfd And then enable the csf and lfd services to be started at boot time: systemctl enable csf systemctl enable lfd Now you can see the list default rules of CSF with command: csf l 25

26 BASIC CSF COMMANDS

27 Basic CSF Commands Start the firewall (enable the firewall rules): csf s Flush/Stop the firewall rules. csf f Restart CSF. csf r 27

28 Basic CSF Commands Allow an IP and add it to csf.allow. csf a Results: Adding to csf.allow and iptables ACCEPT... ACCEPT all opt in!lo out * > /0 ACCEPT all opt in * out!lo /0 >

29 Basic CSF Commands Remove and delete an IP from csf.allow. csf ar Results: Removing rule... ACCEPT all opt in!lo out * > /0 ACCEPT all opt in * out!lo /0 >

30 Basic CSF Commands Deny an IP and add to csf.deny: csf d Results: Adding to csf.deny and iptables DROP... DROP all opt in!lo out * > /0 LOGDROPOUT all opt in * out!lo /0 >

31 Basic CSF Commands Remove and delete an IP from csf.deny. csf dr Results: Removing rule... DROP all opt in!lo out * > /0 LOGDROPOUT all opt in * out!lo /0 >

32 Basic CSF Commands Remove and Unblock all entries from csf.deny. csf df Results: DROP all opt in!lo out * > /0 LOGDROPOUT all opt in * out!lo /0 > DROP all opt in!lo out * > /0 LOGDROPOUT all opt in * out!lo /0 > csf: all entries removed from csf.deny 32

33 Basic CSF Commands Search for a pattern match on iptables e.g : IP, CIDR, Port Number csf g

34 ADVANCED CONFIG

35 What to do? Edit the csf.conf configuration file: cd /etc/csf/ vim csf.conf 35

36 Advanced Configuration Don't Block IP addresses that are in the csf.allow files By default lfd also will block an IP under csf.allow files If you want that an IP in csf.allow files never get blocked by lfd, go to the line 272 and change "IGNORE_ALLOW" to "1". IGNORE_ALLOW = "1" 36

37 Advanced Configuration Allow Incoming and Outgoing ICMP Go to the line 152 for incoming ping/icmp: ICMP_IN = "1" And line 159 for outgoing ping ping/icmp: ICMP_OUT = "1" 37

38 Advanced Configuration Block Certain Countries CSF provide an option to allow and deny access by country using the CIDR (Country Code). Go to line 836 and add the country codes that shall be allowed and denied: CC_DENY = "CN,UK,US" CC_ALLOW = "ID,MY,DE" 38

39 Advanced Configuration Send the Su and SSH Login log by Go to the line 1069 and change the value to "1". LF_SSH_ _ALERT = "1"... LF_SU_ _ALERT = "1" And then define the address you want to use in line 588. LF_ALERT_TO = "mymail@mydomain.tld" 39

40 Q&A 40