Installing ConfigServer Security & Firewall (csf): Difference between revisions
(Created page with "**Install and Configure a More Advanced Firewall** CSF is a script that vastly extends the capability of iptables on your server, including packet inspection and the ability...") |
No edit summary |
||
| (7 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
== Basic CSF install == | |||
CSF is a script that vastly extends the capability of iptables on your server, including packet inspection and the ability to automatically IP ban anyone who is brute forcing things such as SSH logins. To quickly install the firewall run the following commands: | CSF is a script that vastly extends the capability of iptables on your server, including packet inspection and the ability to automatically IP ban anyone who is brute forcing things such as SSH logins. To quickly install the firewall run the following commands: | ||
cd /usr/src | |||
rm -fv csf.tgz | |||
wget https://download.configserver.com/csf.tgz | |||
tar -xzf csf.tgz | |||
cd csf | |||
sh install.sh | |||
At this point CSF will be in "Testing" mode and will not be running any additional protection, open up /etc/csf/csf.conf and change the following lines: | |||
TESTING = "0" | |||
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,2077,2078,2079,2080,2082,2083,2086,2087,2095,2096,10011,30033,41144" | |||
UDP_IN = "20,21,53,9987" | |||
UDP_OUT = "20,21,53,113,123,873,2011:2110,6277,24441" | |||
If you are utilising IPv6 you will also need to modify TCP6_IN, UDP6_IN and UDP6_OUT. | |||
After changing these lines execute "csf -r" in your shell and the firewall will be active and will have the needed TeamSpeak 3 ports open. | |||
If you want to receive notifications when an IP is blocked you can edit the file /root/.forward and enter an email to send notifications to, bear in mind this will need a mail server such as sendmail, [http://www.postfix.org/ postfix] or [https://www.exim.org/ exim]. | |||
== CONNLIMIT == | |||
'''<u>THIS DOES NOT WORK WITH OPENVZ SERVERS</u>''' | |||
CONNLIMIT aka Connection Limiting can help with certain types of attacks against your server, specifically when the user is using the same IP to attack you constantly. | |||
A reasonable base configuration for this would be something like:<blockquote>CONNLIMIT = "30033;50,10011;50,9987;50"</blockquote>This will limit a single IP to 50 connections to the server, which should limit the amount of damage that can be done. Ideally you should lower these numbers until you see a problem and then increase the number by 2. | |||
== PORTFLOOD == | |||
===== '''<u>THIS DOES NOT WORK WITH OPENVZ SERVERS</u>''' ===== | |||
Portflood protection limits the ability of people to attack your server by sending a lot of data quickly from multiple IP's. This limit needs to be set high in case you have a sudden spike in traffic, such as the server restarting or a network outage causing everyone to disconnect and reconnect quickly. | |||
A safe default would look something like:<blockquote>PORTFLOOD = "80;tcp;20;10,10011;tcp;50;10,30033;tcp;50;10"</blockquote>This will limit traffic to 50 connections per 10 seconds to the server, which should limit the amount of damage that can be done. Ideally you should lower these numbers until you see a problem and then increase the number by 10. | |||
== SYNFLOOD == | |||
This option is only effective at preventing SYN attacks against file transfer and Server Query ports, it has no effect on normal voice traffic to port 9987. this can/will also significantly slow down connections to your servers TCP ports, so you may wish to only use this when you are certain users are attacking File Transfer and/or Server Query. | |||
A reasonable default would be:<blockquote>SYNFLOOD = "1" | |||
SYNFLOOD_RATE = "200/s" | |||
SYNFLOOD_BURST = "150"</blockquote> | |||
Latest revision as of 12:53, 6 January 2021
Basic CSF install
CSF is a script that vastly extends the capability of iptables on your server, including packet inspection and the ability to automatically IP ban anyone who is brute forcing things such as SSH logins. To quickly install the firewall run the following commands:
cd /usr/src rm -fv csf.tgz wget https://download.configserver.com/csf.tgz tar -xzf csf.tgz cd csf sh install.sh
At this point CSF will be in "Testing" mode and will not be running any additional protection, open up /etc/csf/csf.conf and change the following lines:
TESTING = "0" TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,2077,2078,2079,2080,2082,2083,2086,2087,2095,2096,10011,30033,41144" UDP_IN = "20,21,53,9987" UDP_OUT = "20,21,53,113,123,873,2011:2110,6277,24441"
If you are utilising IPv6 you will also need to modify TCP6_IN, UDP6_IN and UDP6_OUT.
After changing these lines execute "csf -r" in your shell and the firewall will be active and will have the needed TeamSpeak 3 ports open.
If you want to receive notifications when an IP is blocked you can edit the file /root/.forward and enter an email to send notifications to, bear in mind this will need a mail server such as sendmail, postfix or exim.
CONNLIMIT
THIS DOES NOT WORK WITH OPENVZ SERVERS
CONNLIMIT aka Connection Limiting can help with certain types of attacks against your server, specifically when the user is using the same IP to attack you constantly.
A reasonable base configuration for this would be something like:
CONNLIMIT = "30033;50,10011;50,9987;50"
This will limit a single IP to 50 connections to the server, which should limit the amount of damage that can be done. Ideally you should lower these numbers until you see a problem and then increase the number by 2.
PORTFLOOD
THIS DOES NOT WORK WITH OPENVZ SERVERS
Portflood protection limits the ability of people to attack your server by sending a lot of data quickly from multiple IP's. This limit needs to be set high in case you have a sudden spike in traffic, such as the server restarting or a network outage causing everyone to disconnect and reconnect quickly.
A safe default would look something like:
PORTFLOOD = "80;tcp;20;10,10011;tcp;50;10,30033;tcp;50;10"
This will limit traffic to 50 connections per 10 seconds to the server, which should limit the amount of damage that can be done. Ideally you should lower these numbers until you see a problem and then increase the number by 10.
SYNFLOOD
This option is only effective at preventing SYN attacks against file transfer and Server Query ports, it has no effect on normal voice traffic to port 9987. this can/will also significantly slow down connections to your servers TCP ports, so you may wish to only use this when you are certain users are attacking File Transfer and/or Server Query.
A reasonable default would be:
SYNFLOOD = "1"
SYNFLOOD_RATE = "200/s"
SYNFLOOD_BURST = "150"