We have already discussed about installing the ConfigServer firewall (CSF) in linux. The post you will be using most common commands and changes in the configuration file.
Allow port number in Firewall:
Below ports are opened by defaults,
# vi /etc/csf/csf.conf
##Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"
##Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,53,80,110,113,443"
##Allow incoming UDP ports
UDP_IN = "20,21,53"
##To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = "20,21,53,113,123"
##Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"
##Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,53,80,110,113,443"
##Allow incoming UDP ports
UDP_IN = "20,21,53"
##To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = "20,21,53,113,123"
For example if you want to set MySQL port 3306 should be opened give comma(,) add the port in TCP_IN and TCP_OUT.
After chnages:
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,3306"
TCP_OUT = "20,21,22,25,53,80,110,113,443,3306"
TCP_OUT = "20,21,22,25,53,80,110,113,443,3306"
How to block IP Address:
# csf -d 123.123.123.123 "Mentions the reason block IP"
Adding 124.153.121.166 to csf.deny and iptables DROP...
DROP all opt -- in !lo out * 123.123.123.123 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 123.123.123.123
Deny an IP address and added to /etc/csf/csf.deny directoryAdding 124.153.121.166 to csf.deny and iptables DROP...
DROP all opt -- in !lo out * 123.123.123.123 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 123.123.123.123
How to unblock an IP address :
# csf -dr 123.123.123.123
Removing rule...
DROP all opt -- in !lo out * 123.123.123.123 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 123.123.123.123
Unblock an IP address and removed from /etc/csf/csf.deny directoryRemoving rule...
DROP all opt -- in !lo out * 123.123.123.123 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 123.123.123.123
How to allow an IP address permenatly:
# csf -a 192.168.0.1 "server IP"
Adding 192.168.0.1 to csf.allow and iptables ACCEPT...
ACCEPT all opt -- in !lo out * 192.168.0.1 -> 0.0.0.0/0
ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.0.1
Allow an IP address and added to /etc/csf/csf.allow Adding 192.168.0.1 to csf.allow and iptables ACCEPT...
ACCEPT all opt -- in !lo out * 192.168.0.1 -> 0.0.0.0/0
ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.0.1
How to Deny or Allow countries:
Search the option CC_DENY or CC_ALLOW and added the country codes.
Each option is a comma separated list of CC's
CC_DENY = "IR,CN,NL,IQ,IE,IL"
CC_ALLOW = "IN"
CC_ALLOW = "IN"
How Ignore the LFD email alert at particular user.
Enter the user id to csf.uidignore file,
# vi /etc/csf/csf.uidignore
500
500
You can get a user id from /etc/passwd
How to set alert email report from server :
Do you get an alert report email from the server lfd will send the relevant alert template to configured email
# vi /etc/csf/csf.conf
LF_ALERT_TO = "alert@mydomain.com"
LF_ALERT_TO = "alert@mydomain.com"
Executables (exe) command lines (cmd) and usernames (user) that lfd process tracking will ignore open the csf pignore file and add the exe path, for example three executable files ignored.
#vi /etc/csf/csf.pignore
exe:/usr/local/libexec/dovecot/imap-login
exe:/usr/java/jdk1.6.0_24/bin/java
exe:/usr/java/jdk1.7.0/bin/java
exe:/usr/local/libexec/dovecot/imap-login
exe:/usr/java/jdk1.6.0_24/bin/java
exe:/usr/java/jdk1.7.0/bin/java
If you curious more csf command ask help :
# csf --help
csf: v7.03 (cPanel)
...
csf: v7.03 (cPanel)
...
Comments (0)