Config Server Firewall (csf) and Login Failure Daemon (lfd) is a robust firewall solution having Stateful Packet Inspection (SPI), Login/Intrusion Detection and Security application for Linux servers. Although it is more compatible with CPanel we have been able to use the same for the Plesk hosting control panel also and it is running fine.
I have listed the installation steps for CSF / LFD. Login to your server with ‘root’ user and issue below commands :
# cd ; mkdir -p firewall ; cd firewall
Download and untar the source for installation
# wget http://www.configserver.com/free/csf.tgz ; tar -xzf csf.tgz
Run installation script
# csf/install.sh
Once the installation complete, you can run the below scripts provided by vendor to check if your server/vps has required iptables modules available :
# perl /etc/csf/csftest.pl
CSF provides the script to remove the other popular combination I talked about above i.e. apf/bfd.
# /etc/csf/remove_apf_bfd.sh
Common setting for incoming/outgoing TCP/IP and UDP connection:
ETH_DEVICE = “eth0″
ETH_DEVICE_SKIP = “″
# Allow incoming TCP ports
TCP_IN = “20,21,25,53,80,106,110,111,143,443,465,587,865,873,993,995,8443,8880″
# Allow outgoing TCP ports
TCP_OUT = “20,21,22,25,80,110,443,43,873,8443″
# Allow incoming UDP ports
UDP_IN = “53,111,123,230,631,859,862,2109,5353″
# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = “20,21,53,113,123,2109″
# Allow incoming PING
ICMP_IN = “1″
# Set the per IP address incoming ICMP packet rate
# To disable rate limiting set to “0″
ICMP_IN_RATE = “0″
# Allow outgoing PING
ICMP_OUT = “1″
# Set the per IP address outgoing ICMP packet rate
# To disable rate limiting set to “0″
ICMP_OUT_RATE = “0″
# Enable login failure detection daemon (lfd).
LF_DAEMON = “1″
For allowing Qmail in CSF alter below setting(s):
SMTP_BLOCK = “1″
SMTP_ALLOWLOCAL = “1″
SMTP_PORTS = “25,587″
SMTP_ALLOWUSER = “qmaild,qmaill,qmailp,qmailq,qmailr,qmails”
SMTP_ALLOWGROUP = “qmail,nofiles,mail,mailman”
Set CSF/LFD reporting FROM/TO ID as below [**** Need to set for Plesk]:
LF_ALERT_TO = “admin@example.com”
LF_ALERT_FROM = “firewall@example.com”
Allowing third party block list checking:
# Enable IP range blocking using the DShield Block List at
LF_DSHIELD = “86400″
# Enable IP range blocking using the Spamhaus DROP List at
LF_SPAMHAUS = “86400″
# Enable IP range blocking using the BOGON List at
LF_BOGON = “86400″
Now add the LFD ignore list for qmail/plesk mail user/process in csf.pignore file:
user:admin
exe:/var/qmail/bin/qmail-smtpd
exe:/usr/bin/imapd
exe:/var/qmail/bin/qmail-queue
exe:/usr/bin/pop3d
exe:/var/qmail/bin/qmail-send
cmd:qmail-send
cmd:/usr/bin/pop3d Maildir
cmd:/var/qmail/bin/qmail-queue
cmd:/var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth
/var/qmail/bin/true
/var/qmail/bin/cmd5checkpw
/var/qmail/bin/true
cmd:/usr/bin/imapd Maildir
exe:/var/qmail/bin/qmail-rspawn
cmd:qmail-rspawn
exe:/var/qmail/bin/qmail-clean
cmd:qmail-clean
exe:/usr/sbin/clamd
cmd:clamd
exe:/var/qmail/bin/splogger
cmd:splogger qmail
exe:/var/qmail/bin/qmail-remote.moved
user:qmaill
user:popuser
user:qmaild
user:qmails
user:qmailr
user:qmailq
user:qscand
exe:/usr/sbin/avahi-daemon
user:avahi
exe:/usr/local/sbin/zabbix_agentd
cmd:/usr/local/sbin/zabbix_agentd
user:zabbix
exe:/usr/bin/sw-engine-cgi
cmd:/usr/bin/sw-engine-cgi
user:sso
exe:/usr/sbin/sw-cp-serverd
cmd:/usr/sbin/sw-cp-serverd -f /etc/sw-cp-server/config
user:sw-cp-server
exe:/usr/bin/sw-engine-cgi
cmd:/usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini
-d auto_prepend_file=auth.php3 -u psaadm
user:psaadm
exe:/usr/libexec/mysqld
cmd:/usr/libexec/mysqld –basedir=/usr –datadir=/var/lib/mysql –user=mysql
–pid-file=/var/run/mysqld/mysqld.pid –skip-external-locking
–socket=/var/lib/mysql/mysql.sock
user:mysql
exe:/usr/libexec/hald-addon-acpi
exe:/usr/sbin/hald
cmd:hald
user:haldaemon
exe:/usr/bin/postgres
user:postgres
exe:/sbin/portmap
cmd:portmap
user:rpc
exe:/usr/bin/xfs
cmd:xfs -droppriv -daemon
user:xfs
exe:/usr/bin/python
cmd:/usr/bin/python /usr/lib/mailman/bin/qrunner
–runner=VirginRunner:0:1 -s
user:mailman
exe:/usr/java/jdk1.6.0_20/bin/java
user:tomcat
Note: You may need to add few more process/user as per your requirement. Now start the CSF:
# csf -s
Restart LFD
# service lfd restart
Installation is done, now check the website, mail and other services(s) and disable TESTING mode and restart CSF/LFD:
# csf -r
# service lfd restart
I will list below some of very common commands you will need to use/manage csf firewall. Enabling the firewall:
# csf –enable OR
# csf -e
Disabling the firewall:
# csf –disable
# csf -x
Starting firewall / applying rules:
# csf –start
# csf -s
Stopping firewall / flushing rules:
# csf –stop
# csf -f
Adding an IP in firewall:
# csf -d x.x.x.x “Reason for blocking the IPv4”
# csf –deny x.x.x.x “Reason for blocking the IPv4”
where x.x.x.x is the IPv4 you want to block.
Removing IPv4 from deny list:
# csf -dr x.x.x.x
The list of the files that were changed or were added by csf installation:
/etc /etc/logrotate.d /etc/logrotate.d/lfd /etc/rc.d/rc5.d /etc/rc.d/rc5.d/S20lfd /etc/rc.d/rc5.d/S15csf /etc/rc.d/rc0.d /etc/rc.d/rc0.d/K80csf /etc/rc.d/rc0.d/K75lfd /etc/rc.d/rc3.d /etc/rc.d/rc3.d/S20lfd /etc/rc.d/rc3.d/S15csf /etc/rc.d/rc4.d /etc/rc.d/rc4.d/S20lfd /etc/rc.d/rc4.d/S15csf /etc/rc.d/init.d /etc/rc.d/init.d/lfd /etc/rc.d/init.d/csf /etc/rc.d/rc1.d /etc/rc.d/rc1.d/K80csf /etc/rc.d/rc1.d/K75lfd /etc/rc.d/rc2.d /etc/rc.d/rc2.d/S20lfd /etc/rc.d/rc2.d/S15csf /etc/rc.d/rc6.d /etc/rc.d/rc6.d/K80csf /etc/rc.d/rc6.d/K75lfd /etc/cron.d /etc/cron.d/lfdcron.sh /etc/cron.d/csfcron.sh /etc/csf /etc/csf/csfwebmin.tgz /etc/csf/csf.conf.preupdate /etc/csf/csf.dirwatch /etc/csf/less15cmin.csf.txt /etc/csf/regex.custom.pm /etc/csf/csf.logfiles /etc/csf/csfui.pl /etc/csf/csf.dyndns /etc/csf/license.txt /etc/csf/csf.pl /etc/csf/uninstall.sh /etc/csf/install.txt /etc/csf/pt_deleted_action.pl /etc/csf/alerts /etc/csf/csf.fignore /etc/csf/csf.uidignore /etc/csf/csf.deny /etc/csf/csf.signore /etc/csf/messenger /etc/csf/messenger/index.html /etc/csf/messenger/index.text /etc/csf/messenger/csf_small.png /etc/csf/csf.rignore /etc/csf/csf.sips /etc/csf/ui /etc/csf/ui/server.crt /etc/csf/ui/ui.allow /etc/csf/ui/server.key /etc/csf/ui/ui.ban /etc/csf/ui/images /etc/csf/ui/images/minus.png /etc/csf/ui/images/cse_small.png /etc/csf/ui/images/ip.png /etc/csf/ui/images/cxs_small.png /etc/csf/ui/images/viewdelivery.png /etc/csf/ui/images/plus.png /etc/csf/ui/images/LICENSE.txt /etc/csf/ui/images/icon.gif /etc/csf/ui/images/deliver.png /etc/csf/ui/images/delete.png /etc/csf/ui/images/csf_small.png /etc/csf/ui/images/perm.png /etc/csf/ui/images/cxs.png /etc/csf/ui/images/cxs-loader.gif /etc/csf/lfd.pl /etc/csf/readme.txt /etc/csf/csf.blocklists /etc/csf/webmin /etc/csf/csf.resellers /etc/csf/csf.suignore /etc/csf/less10cmin.csf.txt /etc/csf/changelog.txt /etc/csf/csf.ignore /etc/csf/csf.conf /etc/csf/csf.redirect /etc/csf/csf.syslogs /etc/csf/version.txt /etc/csf/csf.logignore /etc/csf/csf.pignore /etc/csf/csftest.pl /etc/csf/csf.allow /etc/csf/remove_apf_bfd.sh /etc/csf/csf.mignore /var/lib /var/lib/csf /var/lib/csf/zone /var/lib/csf/lock /var/lib/csf/ui /var/lib/csf/webmin /var/lib/csf/Geo /var/lib/csf/stats /usr/local /usr/local/man /usr/local/man/man1 /usr/local/man/man1/csf.1 /usr/local/csf /usr/local/csf/csfwebmin.tgz /usr/local/csf/tpl /usr/local/csf/tpl/uidscan.txt /usr/local/csf/tpl/loadalert.txt /usr/local/csf/tpl/integrityalert.txt /usr/local/csf/tpl/consolealert.txt /usr/local/csf/tpl/portknocking.txt /usr/local/csf/tpl/reselleralert.txt /usr/local/csf/tpl/sualert.txt /usr/local/csf/tpl/accounttracking.txt /usr/local/csf/tpl/forkbombalert.txt /usr/local/csf/tpl/syslogalert.txt /usr/local/csf/tpl/webminalert.txt /usr/local/csf/tpl/exploitalert.txt /usr/local/csf/tpl/tracking.txt /usr/local/csf/tpl/watchalert.txt /usr/local/csf/tpl/scriptalert.txt /usr/local/csf/tpl/uialert.txt /usr/local/csf/tpl/usertracking.txt /usr/local/csf/tpl/netblock.txt /usr/local/csf/tpl/x-arf.txt /usr/local/csf/tpl/resalert.txt /usr/local/csf/tpl/sshalert.txt /usr/local/csf/tpl/processtracking.txt /usr/local/csf/tpl/alert.txt /usr/local/csf/tpl/logfloodalert.txt /usr/local/csf/tpl/portscan.txt /usr/local/csf/tpl/permblock.txt /usr/local/csf/tpl/filealert.txt /usr/local/csf/tpl/cpanelalert.txt /usr/local/csf/tpl/queuealert.txt /usr/local/csf/tpl/relayalert.txt /usr/local/csf/tpl/connectiontracking.txt /usr/local/csf/tpl/logalert.txt /usr/local/csf/lib /usr/local/csf/lib/restricted.txt /usr/local/csf/lib/Crypt /usr/local/csf/lib/Crypt/CBC.pm /usr/local/csf/lib/Crypt/Blowfish_PP.pm /usr/local/csf/lib/csf.div /usr/local/csf/lib/sanity.txt /usr/local/csf/lib/csf.help /usr/local/csf/lib/webmin /usr/local/csf/lib/webmin/csf /usr/local/csf/lib/webmin/csf/index.cgi /usr/local/csf/lib/webmin/csf/images /usr/local/csf/lib/webmin/csf/images/minus.png /usr/local/csf/lib/webmin/csf/images/ip.png /usr/local/csf/lib/webmin/csf/images/plus.png /usr/local/csf/lib/webmin/csf/images/LICENSE.txt /usr/local/csf/lib/webmin/csf/images/icon.gif /usr/local/csf/lib/webmin/csf/images/loader.gif /usr/local/csf/lib/webmin/csf/images/delete.png /usr/local/csf/lib/webmin/csf/images/csf_small.png /usr/local/csf/lib/webmin/csf/images/perm.png /usr/local/csf/lib/webmin/csf/module.info /usr/local/csf/lib/HTTP /usr/local/csf/lib/HTTP/Tiny.pm /usr/local/csf/lib/Geo /usr/local/csf/lib/Geo/Mirror.pm /usr/local/csf/lib/Geo/IP /usr/local/csf/lib/Geo/IP/Record.pm /usr/local/csf/lib/Geo/IP/Record.pod /usr/local/csf/lib/Geo/IP.pm /usr/local/csf/lib/csfajaxtail.js /usr/local/csf/lib/Net /usr/local/csf/lib/Net/CIDR /usr/local/csf/lib/Net/CIDR/Lite.pm /usr/local/csf/bin /usr/local/csf/bin/regex.custom.pm /usr/local/csf/bin/csfui.pl /usr/local/csf/bin/servercheck.pm /usr/local/csf/bin/uninstall.sh /usr/local/csf/bin/regex.pm /usr/local/csf/bin/pt_deleted_action.pl /usr/local/csf/bin/cseui.pl /usr/local/csf/bin/csfuir.pl /usr/local/csf/bin/csftest.pl /usr/local/csf/bin/remove_apf_bfd.sh /usr/sbin /usr/sbin/lfd /usr/sbin/csf