ConfigServer Services firewall installation guide for Plesk

Config Server Firewall (csf) and Login Failure Daemon (lfd) is a robust firewall solution having Stateful Packet Inspection (SPI), Login/Intrusion Detection and Security application for Linux servers. Although it is more compatible with CPanel we have been able to use the same for the Plesk hosting control panel also and it is running fine.

I have listed the installation steps for CSF / LFD. Login to your server with ‘root’ user and issue below commands :

# cd ; mkdir -p firewall ; cd firewall

Download and untar the source for installation

# wget http://www.configserver.com/free/csf.tgz ; tar -xzf csf.tgz

Run installation script

# csf/install.sh

Once the installation complete, you can run the below scripts provided by vendor to check if your server/vps has required iptables modules available :

# perl /etc/csf/csftest.pl

CSF provides the script to remove the other popular combination I talked about above i.e. apf/bfd.

 # /etc/csf/remove_apf_bfd.sh

Common setting for incoming/outgoing TCP/IP and UDP connection:

    ETH_DEVICE = “eth0″

    ETH_DEVICE_SKIP = “″

    # Allow incoming TCP ports
    TCP_IN = “20,21,25,53,80,106,110,111,143,443,465,587,865,873,993,995,8443,8880″

    # Allow outgoing TCP ports
    TCP_OUT = “20,21,22,25,80,110,443,43,873,8443″

    # Allow incoming UDP ports
    UDP_IN = “53,111,123,230,631,859,862,2109,5353″

    # Allow outgoing UDP ports
    # To allow outgoing traceroute add 33434:33523 to this list
    UDP_OUT = “20,21,53,113,123,2109″

    # Allow incoming PING
    ICMP_IN = “1″

    # Set the per IP address incoming ICMP packet rate
    # To disable rate limiting set to “0″
    ICMP_IN_RATE = “0″

    # Allow outgoing PING
    ICMP_OUT = “1″

    # Set the per IP address outgoing ICMP packet rate
    # To disable rate limiting set to “0″
    ICMP_OUT_RATE = “0″

    # Enable login failure detection daemon (lfd).
    LF_DAEMON = “1″

For allowing Qmail in CSF alter below setting(s):

    SMTP_BLOCK = “1″
    SMTP_ALLOWLOCAL = “1″
    SMTP_PORTS = “25,587″
    SMTP_ALLOWUSER = “qmaild,qmaill,qmailp,qmailq,qmailr,qmails”
    SMTP_ALLOWGROUP = “qmail,nofiles,mail,mailman”

Set CSF/LFD reporting FROM/TO ID as below [**** Need to set for Plesk]:

    LF_ALERT_TO = “admin@example.com”
    LF_ALERT_FROM = “firewall@example.com”

Allowing third party block list checking:

    # Enable IP range blocking using the DShield Block List at
    LF_DSHIELD = “86400″

    # Enable IP range blocking using the Spamhaus DROP List at
    LF_SPAMHAUS = “86400″

    # Enable IP range blocking using the BOGON List at
    LF_BOGON = “86400″

Now add the LFD ignore list for qmail/plesk mail user/process in csf.pignore file:

    user:admin
    exe:/var/qmail/bin/qmail-smtpd
    exe:/usr/bin/imapd
    exe:/var/qmail/bin/qmail-queue
    exe:/usr/bin/pop3d
    exe:/var/qmail/bin/qmail-send
    cmd:qmail-send
    cmd:/usr/bin/pop3d Maildir
    cmd:/var/qmail/bin/qmail-queue
    cmd:/var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth 
                                   /var/qmail/bin/true 
                                   /var/qmail/bin/cmd5checkpw
                                   /var/qmail/bin/true
    cmd:/usr/bin/imapd Maildir
    exe:/var/qmail/bin/qmail-rspawn
    cmd:qmail-rspawn
    exe:/var/qmail/bin/qmail-clean
    cmd:qmail-clean
    exe:/usr/sbin/clamd
    cmd:clamd
    exe:/var/qmail/bin/splogger
    cmd:splogger qmail
    exe:/var/qmail/bin/qmail-remote.moved
    user:qmaill
    user:popuser
    user:qmaild
    user:qmails
    user:qmailr
    user:qmailq
    user:qscand
    exe:/usr/sbin/avahi-daemon
    user:avahi
    exe:/usr/local/sbin/zabbix_agentd
    cmd:/usr/local/sbin/zabbix_agentd
    user:zabbix
    exe:/usr/bin/sw-engine-cgi
    cmd:/usr/bin/sw-engine-cgi
    user:sso
    exe:/usr/sbin/sw-cp-serverd
    cmd:/usr/sbin/sw-cp-serverd -f /etc/sw-cp-server/config
    user:sw-cp-server
    exe:/usr/bin/sw-engine-cgi
    cmd:/usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini 
                               -d auto_prepend_file=auth.php3 -u psaadm
    user:psaadm
    exe:/usr/libexec/mysqld
    cmd:/usr/libexec/mysqld –basedir=/usr –datadir=/var/lib/mysql –user=mysql 
                            –pid-file=/var/run/mysqld/mysqld.pid –skip-external-locking 
                            –socket=/var/lib/mysql/mysql.sock
    user:mysql
    exe:/usr/libexec/hald-addon-acpi
    exe:/usr/sbin/hald
    cmd:hald
    user:haldaemon
    exe:/usr/bin/postgres
    user:postgres
    exe:/sbin/portmap
    cmd:portmap
    user:rpc
    exe:/usr/bin/xfs
    cmd:xfs -droppriv -daemon
    user:xfs
    exe:/usr/bin/python
    cmd:/usr/bin/python /usr/lib/mailman/bin/qrunner 
                        –runner=VirginRunner:0:1 -s
    user:mailman
    exe:/usr/java/jdk1.6.0_20/bin/java
    user:tomcat

Note: You may need to add few more process/user as per your requirement. Now start the CSF:

  # csf -s

Restart LFD

  # service lfd restart

Installation is done, now check the website, mail and other services(s) and disable TESTING mode and restart CSF/LFD:

    # csf -r
    # service lfd restart

I will list below some of very common commands you will need to use/manage csf firewall. Enabling the firewall:

    # csf –enable OR
    # csf -e

Disabling the firewall:

    # csf –disable
    # csf -x

Starting firewall / applying rules:

    # csf –start
    # csf -s

Stopping firewall / flushing rules:

    # csf –stop
    # csf -f

Adding an IP in firewall:

    # csf -d x.x.x.x “Reason for blocking the IPv4”
    # csf –deny x.x.x.x “Reason for blocking the IPv4”
    where x.x.x.x is the IPv4 you want to block.

Removing IPv4 from deny list:

   # csf -dr x.x.x.x
The list of the files that were changed or were added by csf installation:
/etc
/etc/logrotate.d
/etc/logrotate.d/lfd
/etc/rc.d/rc5.d
/etc/rc.d/rc5.d/S20lfd
/etc/rc.d/rc5.d/S15csf
/etc/rc.d/rc0.d
/etc/rc.d/rc0.d/K80csf
/etc/rc.d/rc0.d/K75lfd
/etc/rc.d/rc3.d
/etc/rc.d/rc3.d/S20lfd
/etc/rc.d/rc3.d/S15csf
/etc/rc.d/rc4.d
/etc/rc.d/rc4.d/S20lfd
/etc/rc.d/rc4.d/S15csf
/etc/rc.d/init.d
/etc/rc.d/init.d/lfd
/etc/rc.d/init.d/csf
/etc/rc.d/rc1.d
/etc/rc.d/rc1.d/K80csf
/etc/rc.d/rc1.d/K75lfd
/etc/rc.d/rc2.d
/etc/rc.d/rc2.d/S20lfd
/etc/rc.d/rc2.d/S15csf
/etc/rc.d/rc6.d
/etc/rc.d/rc6.d/K80csf
/etc/rc.d/rc6.d/K75lfd
/etc/cron.d
/etc/cron.d/lfdcron.sh
/etc/cron.d/csfcron.sh
/etc/csf
/etc/csf/csfwebmin.tgz
/etc/csf/csf.conf.preupdate
/etc/csf/csf.dirwatch
/etc/csf/less15cmin.csf.txt
/etc/csf/regex.custom.pm
/etc/csf/csf.logfiles
/etc/csf/csfui.pl
/etc/csf/csf.dyndns
/etc/csf/license.txt
/etc/csf/csf.pl
/etc/csf/uninstall.sh
/etc/csf/install.txt
/etc/csf/pt_deleted_action.pl
/etc/csf/alerts
/etc/csf/csf.fignore
/etc/csf/csf.uidignore
/etc/csf/csf.deny
/etc/csf/csf.signore
/etc/csf/messenger
/etc/csf/messenger/index.html
/etc/csf/messenger/index.text
/etc/csf/messenger/csf_small.png
/etc/csf/csf.rignore
/etc/csf/csf.sips
/etc/csf/ui
/etc/csf/ui/server.crt
/etc/csf/ui/ui.allow
/etc/csf/ui/server.key
/etc/csf/ui/ui.ban
/etc/csf/ui/images
/etc/csf/ui/images/minus.png
/etc/csf/ui/images/cse_small.png
/etc/csf/ui/images/ip.png
/etc/csf/ui/images/cxs_small.png
/etc/csf/ui/images/viewdelivery.png
/etc/csf/ui/images/plus.png
/etc/csf/ui/images/LICENSE.txt
/etc/csf/ui/images/icon.gif
/etc/csf/ui/images/deliver.png
/etc/csf/ui/images/delete.png
/etc/csf/ui/images/csf_small.png
/etc/csf/ui/images/perm.png
/etc/csf/ui/images/cxs.png
/etc/csf/ui/images/cxs-loader.gif
/etc/csf/lfd.pl
/etc/csf/readme.txt
/etc/csf/csf.blocklists
/etc/csf/webmin
/etc/csf/csf.resellers
/etc/csf/csf.suignore
/etc/csf/less10cmin.csf.txt
/etc/csf/changelog.txt
/etc/csf/csf.ignore
/etc/csf/csf.conf
/etc/csf/csf.redirect
/etc/csf/csf.syslogs
/etc/csf/version.txt
/etc/csf/csf.logignore
/etc/csf/csf.pignore
/etc/csf/csftest.pl
/etc/csf/csf.allow
/etc/csf/remove_apf_bfd.sh
/etc/csf/csf.mignore
/var/lib
/var/lib/csf
/var/lib/csf/zone
/var/lib/csf/lock
/var/lib/csf/ui
/var/lib/csf/webmin
/var/lib/csf/Geo
/var/lib/csf/stats
/usr/local
/usr/local/man
/usr/local/man/man1
/usr/local/man/man1/csf.1
/usr/local/csf
/usr/local/csf/csfwebmin.tgz
/usr/local/csf/tpl
/usr/local/csf/tpl/uidscan.txt
/usr/local/csf/tpl/loadalert.txt
/usr/local/csf/tpl/integrityalert.txt
/usr/local/csf/tpl/consolealert.txt
/usr/local/csf/tpl/portknocking.txt
/usr/local/csf/tpl/reselleralert.txt
/usr/local/csf/tpl/sualert.txt
/usr/local/csf/tpl/accounttracking.txt
/usr/local/csf/tpl/forkbombalert.txt
/usr/local/csf/tpl/syslogalert.txt
/usr/local/csf/tpl/webminalert.txt
/usr/local/csf/tpl/exploitalert.txt
/usr/local/csf/tpl/tracking.txt
/usr/local/csf/tpl/watchalert.txt
/usr/local/csf/tpl/scriptalert.txt
/usr/local/csf/tpl/uialert.txt
/usr/local/csf/tpl/usertracking.txt
/usr/local/csf/tpl/netblock.txt
/usr/local/csf/tpl/x-arf.txt
/usr/local/csf/tpl/resalert.txt
/usr/local/csf/tpl/sshalert.txt
/usr/local/csf/tpl/processtracking.txt
/usr/local/csf/tpl/alert.txt
/usr/local/csf/tpl/logfloodalert.txt
/usr/local/csf/tpl/portscan.txt
/usr/local/csf/tpl/permblock.txt
/usr/local/csf/tpl/filealert.txt
/usr/local/csf/tpl/cpanelalert.txt
/usr/local/csf/tpl/queuealert.txt
/usr/local/csf/tpl/relayalert.txt
/usr/local/csf/tpl/connectiontracking.txt
/usr/local/csf/tpl/logalert.txt
/usr/local/csf/lib
/usr/local/csf/lib/restricted.txt
/usr/local/csf/lib/Crypt
/usr/local/csf/lib/Crypt/CBC.pm
/usr/local/csf/lib/Crypt/Blowfish_PP.pm
/usr/local/csf/lib/csf.div
/usr/local/csf/lib/sanity.txt
/usr/local/csf/lib/csf.help
/usr/local/csf/lib/webmin
/usr/local/csf/lib/webmin/csf
/usr/local/csf/lib/webmin/csf/index.cgi
/usr/local/csf/lib/webmin/csf/images
/usr/local/csf/lib/webmin/csf/images/minus.png
/usr/local/csf/lib/webmin/csf/images/ip.png
/usr/local/csf/lib/webmin/csf/images/plus.png
/usr/local/csf/lib/webmin/csf/images/LICENSE.txt
/usr/local/csf/lib/webmin/csf/images/icon.gif
/usr/local/csf/lib/webmin/csf/images/loader.gif
/usr/local/csf/lib/webmin/csf/images/delete.png
/usr/local/csf/lib/webmin/csf/images/csf_small.png
/usr/local/csf/lib/webmin/csf/images/perm.png
/usr/local/csf/lib/webmin/csf/module.info
/usr/local/csf/lib/HTTP
/usr/local/csf/lib/HTTP/Tiny.pm
/usr/local/csf/lib/Geo
/usr/local/csf/lib/Geo/Mirror.pm
/usr/local/csf/lib/Geo/IP
/usr/local/csf/lib/Geo/IP/Record.pm
/usr/local/csf/lib/Geo/IP/Record.pod
/usr/local/csf/lib/Geo/IP.pm
/usr/local/csf/lib/csfajaxtail.js
/usr/local/csf/lib/Net
/usr/local/csf/lib/Net/CIDR
/usr/local/csf/lib/Net/CIDR/Lite.pm
/usr/local/csf/bin
/usr/local/csf/bin/regex.custom.pm
/usr/local/csf/bin/csfui.pl
/usr/local/csf/bin/servercheck.pm
/usr/local/csf/bin/uninstall.sh
/usr/local/csf/bin/regex.pm
/usr/local/csf/bin/pt_deleted_action.pl
/usr/local/csf/bin/cseui.pl
/usr/local/csf/bin/csfuir.pl
/usr/local/csf/bin/csftest.pl
/usr/local/csf/bin/remove_apf_bfd.sh
/usr/sbin
/usr/sbin/lfd
/usr/sbin/csf
Scroll to top