ConfigServer Security & Firewall (csf)

 

Howto Get it
=============
wget http://www.configserver.com/free/csf.tgz

Howto Install CSF
==========================
wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
If you would like to disable APF+BFD (which you will need to do if you have
them installed otherwise they will conflict horribly):

sh disable_apf_bfd.sh
You should ensure that kernel logging daemon (klogd) is enabled

Howto Configure CSF
=============================

All files located at /etc/csf/
Edit /etc/csf/csf.conf
1. Change TESTING=0 to change testing mode
2. TCP_IN = "20,21,22,25,53,80,110,143,443,465,993,995,2082,2083,2086,2087,2095,2096,3306"
3. TCP_OUT = "20,21,22,25,37,43,53,80,110,113,443,587,873,953,2087,2089"
4. UDP_IN = "20,21,53,953"
5. UDP_OUT = "20,21,53,,953"
6. Quit and save
7. Restart csf by csf -r
8. Check status by csf -l

You can allow ips into /etc/csf.allow by csa -a <ip>
and add ips into /etc/csf.deny by csf -d <ip> to deny that ip.

You can also get this all done by WHM user interface located at the bottom of WHM.

In some servers, iptables error will occur while restarting csf. The issue is related with the missing modules of iptables.

 

Solution

 

Following is the method for adding modules to the VEs.

=> Edit /etc/sysconfig/iptables-config and /etc/sysconfig/vz on the hardware
node.

=> Add modules you need into
IPTABLES_MODULES= (/etc/sysconfig/iptables-config) and
IPTABLES= (/etc/sysconfig/vz)
lines correspondingly.

=> Please note that all iptables modules in /etc/sysconfig/vz file in
IPTABLES parameter should be listed in one single line, no linebreaks are
allowed in this parameter.

=> The typical firewall configuration needs these modules

ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport
iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length
ipt_state iptable_nat ip_nat_ftp

=> Save and exit

=> Restart the vz

# service vz stop
# service iptables restart
# service vz start