CSF Firewall
Working with CSF
There is one main thing to know about CSF boxes. Do not FLUSH IPTABLES. It removes all rules in the firewall, including the ones that route traffic. This means the server is instantly offline as soon as you run that command. In some cases, with certain kernels, it also causes a kernel panic. If you do it accidentally, restart csf on the server.
If you do need to flush the rules, you can instead do this:
csf -f
To see if an ip is being blocked, use the csf grep command:
csf -g $IP
If you're still not sure what's going on with an IP address, the following command will show you all the CSF files containing an IP:
grep -R $IP /etc/csf/
Here is a full list of available CSF flags:
# csf
ConfigServer Security & Firewall (http://www.configserver.com/cp/csf/)
csf: v4.17
(c)2006, Way to the Web Limited (http://www.waytotheweb.com)
Usage: /usr/sbin/csf [option] [value]
Option Meaning
-h, --help Show this message
-l, --status List/Show iptables configuration
-s, --start Start firewall rules
-f, --stop Flush/Stop firewall rules
-r, --restart Restart firewall rules
-a, --add ip Add an IP address to be whitelisted to /etc/csf.allow
-d, --deny ip Add an IP address to be blocked to /etc/csf.deny
-dr, --denyrm ip Remove and unblock an IP address in /etc/csf.deny
-c, --check Checks for updates to csf+lfd but does not perform an upgrade
-g, --grep ip Search the iptables rules for an IP match (incl. CIDR)
-t, --temp Displays the current list of temporary IP bans and their TTL
-tr, --temprm ip Remove an IP address from the temporary IP ban list
-td, --tempdeny ip ttl [-p port] [-d direction]
Add an IP address to the temporary IP ban list. ttl is how
long to blocks for in seconds. Optional port. Optional
direction of block can be one of in, out or inout. Default
is in
-tf, --tempf Flush all IP addresses from the temporary IP ban list
-u, --update Checks for updates to csf+lfd and performs an upgrade if
available
-x, --disable Disable csf and lfd
-e, --enable Enable csf and lfd if previously disabled
-v, --version Show csf version
Specs and WHM menu screenshots are available at the main site:
"ConfigServer Security & Firewall"
Removing Blocked IPs
The WHM "ConfigServer Security & Firewall" offers both "Remove Deny" and "Temporary IP Bans". Removing the "deny" will not clear temporary IP bans (tempip).
This is also true for commandline options:
- Removing permanent deny:
<source lang="bash" startat="1"> csf --denyrm 10.255.254.67 </source>
- Removing Temorary bans:
<source lang="bash" startat="1"> csf --temprm 10.255.254.67 </source>
Also check why it was blocked to help them avoid being blocked again.
Whitelisting IPs
CSF has two main files for whitelisting:
/etc/csf/csf.allow /etc/csf/csf.ignore
However, they do perform different functions. csf.allow is where you would add an IP to be allowed through the firewall. If a user's IP is in csf.allow it can still be blocked for login failures by the login failure daemon (LFD). If you notice a use was blocked with LFD you would need to add the IP to csf.ignore as well. With an IP listed in both of these places it will not be touched by CSF.
For more about LFD please see #LFD
Blacklisting/Whitelisting Entire Countries
CSF allows you either blacklist or whitelist entire countries within the main csf.conf file. The CC_DENY and CC_ALLOW values let you add country codes so that an entire country will be blocked or allowed. However:
If you search for CC_DENY in /etc/csf/csf.conf you'll see where to add the two-letter country codes. I also gives an example of how to enter them. Here is the official list of country codes - http://www.iso.org/iso/country_names_and_code_elements
Allow only an IP to access a given port
In the allow list (csf.allow) you can add an IP and port to provide access even if it is closed. You would add an entry such as:
tcp:in:d=3306:s=67.227.128.126
This would let IP 67.227.128.126 access port 3306 (mysql) even though the port isn't open in the firewall globally. This is also useful for security and PCI scans. It can also be used for someone that wants to lock down FTP access but still let trusted IPs access FTP.
DoS Prevention
CSF has a few tweaks we can use to help prevent/mitigate mild DoS attacks. This is limited, and if the DoS attack is even close to large you should use other tools to help with this, such as our DoS Procedures wiki or possibly even our managed DoS service.
The first is to adjust the maximum number of connections per IP address. In /etc/csf/csf.conf search for the CT_LIMIT value. By default it is 0, which allows unlimited connections. Change this to 100, as there's really no reason an IP should be connecting that many times.
You can also specify the port that this protection works on with the CT_PORTS variable. Make sure to place the value in quotes, so your entry should look like:
CT_PORTS = "80"
You can also specify multiple ports with commas, just like the other CSF configuration lines. An example would be:
CT_PORTS="80,25,110"
So, if you perform the above steps and the server reaches 100 established connections from an IP to Apache, SMTP, or POP, it considered a DoS attack and that IP is blocked in the firewall.
CSF Installation
There are several reasons why you would replace APF with CSF. CSF is better at mitigating synfloods, DDoS attacks, and the general havoc that can be wrought upon a server through these issues.
However, there are many settings in csf that may need to be tweaked in order for it to work properly for a customer. MAKE SURE TO WARN THE CUSTOMER OF THIS BEFORE YOU SWITCH!!! Please look over the configuration VERY' carefully before deciding to take the customer back to apf - chances are there is a setting that can be easily changed to remove any reported error. If you follow through with this wiki all the currently open ports and settings should transfer over smoothly to CSF, but there can still be problems with LFD that need to be resolved.
Now that those warnings are out of the way, here is an overview of the things that need to happen when installing CSF. They are each outlined below in their respective section.
Install perl-libwww-perl if needed Move the old rules Install CSF Remove testing mode Enable DSHIELD and SPAMHAUSE Add Office & Monitoring ranges Add Guardian services if needed (check customer's Billing) Migrate the old blocked IPs Migrate the old allowed IPs Install CSF ModSec plugin If this is not a shared server, install CSF Messenger (optional - only if the customer wants this)
The following is a link to the CSF readme file. It may be of great use in your troubleshooting.
http://configserver.com/free/csf/readme.txt
You can either install CSF to work specifically with cPanel or a generic install for Core Managed customers
Pre-Installation Check
There is a possibility depending on the type of server you're working with that the perl module libwww-perl will need to be installed if it is not already there. Check to see if it is installed with the following command:
yum list perl-libwww-perl
If it doesn't list that as an installed package, use one of the following two commands to install it:
yum install perl-libwww-perl OR perl -MCPAN -e 'install Bundle::LWP'
Installing CSF with cPanel
Before installing you should remove APF. If it was installed via yum (most likely):
mkdir /home/OldAPFRules chmod 700 /home/OldAPFRules cp /etc/apf/* /home/OldAPFRules/ rpm -qa |grep apf lpyum remove lp-apf lpyum remove apf #Centos6 yum remove lp-apf yum remove apf
Depending on the CentOS release it could have been installed from source. If that is the case, remove it with these commands:
/etc/init.d/iptables stop mkdir /home/OldAPFRules chmod 700 /home/OldAPFRules cp /etc/apf/*.rules /home/OldAPFRules/ rm -Rfv /etc/apf rm -fv /etc/cron.daily/fw chkconfig apf off rm -fv /etc/init.d/apf
Then you can proceed with the installation:
cd /home/temp/ wget http://www.configserver.com/free/csf.tgz tar zxvf csf.tgz cd csf ./install.cpanel.sh /etc/init.d/csf restart
The cPanel installer script *should* autoconfigure the firewall to have cPanel ports open, but we'll check those for sure in just a bit.
After the installer completes, you will see output similar to the following:
TCP ports currently listening for incoming connections: 20,21,22,25,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096,3306 UDP ports currently listening for incoming connections: 53,123 Note: The port details above are for information only, csf hasn't been auto-configured. Don't forget to: 1. Configure the TCP_IN, TCP_OUT, UDP_IN and UDP_OUT options in the csf configuration to suite your server 2. Restart csf and lfd 3. Set TESTING to 0 once you're happy with the firewall Adding current SSH session IP address to the csf whitelist in csf.allow: Adding 10.30.6.17 to csf.allow only while in TESTING mode (not iptables ACCEPT) *WARNING* TESTING mode is enabled - do not forget to disable it in the configuration
That output is just giving you a list of ports that the CSF installer detected as having a service listening. You will want to add those ports to the appropriate TCP or UDP section in /etc/csf/csf.conf. Things such as an alternate SSH port should appear in this list.
Once you have added the ports and are confident the configuration is correct you'll need to edit the conf one last time to remove testing mode. It's the very first option on the conf - just change it from 1 to 0.
Please run the following commands to setup the standard RBLs. This will enable Dshield, Spamhaus and DROP List and set the default refresh time of 1 day:
perl -i -p -e 's/LF_DSHIELD = "0"/LF_DSHIELD = "86400"/g' /etc/csf/csf.conf perl -i -p -e 's/LF_SPAMHAUS = "0"/LF_SPAMHAUS = "86400"/g' /etc/csf/csf.conf
Migrate the blocked IPs from the previous APF configuration
cat /home/OldAPFRules/deny_hosts.rules |egrep "\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b" > /etc/csf/csf.deny
Migrate the allowed IPs from the previous APF configuration
cat /home/OldAPFRules/allow_hosts.rules |egrep "\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b" > /etc/csf/csf.allow
Add the Allowed Ports
These are the default ports that we have setup on all of our boxes and this section is really just here for reference. The output from the CSF installation script mentioned above could be different so please take care when adjusting this section in /etc/csf/csf.conf.
# Allow incoming TCP ports TCP_IN = "20,21,22,25,26,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096,3306" # Allow outgoing TCP ports TCP_OUT = "20,21,22,25,37,43,53,80,110,113,443,587,873,2087,2089,2703"
Plesk Ports
# Allow incoming TCP ports TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,3306,6666,7786,8443,5224" # Allow outgoing TCP ports TCP_OUT = "20,21,22,25,53,80,110,113,443,587,5224"
Blocking or Unblocking Traceroute
You may find that traceroute is blocked when CSF is running (this appears to be the default). You can fix this by adding the appropriate UDP ports to the CSF configuration.
/etc/csf/csf.conf
# Allow incoming UDP ports UDP_IN = "33434:33523"
Add the Office and Monitoring Ranges.
Add the following range to the /etc/csf/csf.allow from this page: Internal IP Ranges
If the customer has Guardian, continue with the below steps. If not, skip down one section to CSF#Add_the_blocked_IPs_from_the_APF_install
Template:Box Warning
Please see https://wiki.int.liquidweb.com/articles/Guardian_server_install#Customers_using_CSF
Please see this also https://wiki.int.liquidweb.com/articles/Guardian_Client_Setup#Server_environment_changes
Enabling and testing CSF
Even after all this work, CSF still isn't running. You would need to run the following command to restart CSF
/etc/init.d/csf restart
At this point it's a GREAT IDEA to open up another tab in shell and try and SSH into the server. This way if something is wrong with the firewall you still have access to the server through your open tab.
At this point, YOU HAVE CSF INSTALLED AND WORKING. There's still a few nice things we can do for customers though.
CSF ModSecurity Plugin
This plugin provides the fancy WHM interface that you/customers can use to easily edit the CSF configuration without going through command line. If you'd like to read more, information can be found at: http://www.configserver.com/cp/cmc.html
cd /usr/local/src wget http://www.configserver.com/free/cmc.tgz tar -zxvf cmc.tgz cd cmc/ sh install.sh
When this is complete you should see an option in WHM called "ConfigServer Security&Firewall" under Plugins.
CSF Messenger
This (completely 100% optional) tool offers a TEXT and HTML page to be displayed when a person is blocked in CSF. The actual pages and images that display can be found at /etc/csf/messenger and can be changed, but CSF will need to be restarted when changed.
1) Update CSF in the server to the latest version from your WHM if available - follow the #Updating CSF section to do this.
2) In command line, or the WHM CSF plug-in, open /etc/csf/csf.conf
3) Search for "MESSENGER" and change it to MESSENGER = "1" - the enables the functionality.
perl -i -p -e 's/MESSENGER = "0"/MESSENGER = "1"/g' /etc/csf/csf.conf
4) In command line add a user using the following command
useradd csf -s /bin/false
5) Restart both CSF and LFD to get this working.
/etc/init.d/csf restart /etc/init.d/lfd restart
6) Test your work by having someone else in the office give you their IP, block them in CSF, restart CSF, and have them go to a page on the server. They should get the message from CSF indicating they are blocked.
7) Once you confirm this is working, unblock the test IP and you're all set.
README documentation is here: http://www.configserver.com/free/csf/readme.txt
CSF Generic installation
This section can be used to install CSF on a non-cPanel (core managed) server.
cd /home/temp/ wget http://www.configserver.com/free/csf.tgz tar zxvf csf.tgz cd csf ./install.sh
After installer runs, you will need to edit the /etc/csf/csf.conf config file, and set the eth device, remove debugging mode, and set the proper ports to be open or closed.
Once you have your config options all set, start the firewall:
/etc/init.d/csf restart
Updating CSF
Updating CSF is very easy - this also is set to run automatically every night in cron. If you need to do it manually, run this command:
csf -u
Updates failing
A customer may receive emails like this, or you may get this error when updating CSF manually:
<source lang="bash"> Upgrading csf from v5.34 to 5.35... Retrieving new csf package... Oops: Unable to open /usr/src/csf.tgz.tmp: No such file or directory </source>
The first thing to check is the folder path - it could be trying to download to a folder that doesn't exist. Try:
mkdir -p /usr/src/
Then try the manual update again to see if that resolves the issue.
Uninstalling CSF
Disable without uninstalling
To disable CSF without uninstalling it, simply touch csf.disable:
touch /etc/csf/csf.disable
and flush the exiting rules:
csf -f
You should get a confirmation similar to this:
csf and lfd have been disabled, use 'csf -e' to enable
To re-enable CSF:
csf -e
When you run this it will also reload the list of rules in the firewall, so you'll see them scroll by just as if you restart CSF normally.
Remove CSF
To remove the ConfigServer mail queues:
rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/addon_cmq.cgi rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/cmqversion.txt rm -Rfv /usr/local/cpanel/whostmgr/docroot/cgi/cmq/
To remove ConfigServer Explorer:
rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/addon_cse.cgi rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/cseversion.txt
To uninstall ConfigServer Mail Manage:
rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/addon_cmm.cgi rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/cmmversion.txt rm -Rfv /usr/local/cpanel/whostmgr/docroot/cgi/cmm/
To uninstall ConfigServer Firewall:
/etc/csf/uninstall.sh
LFD
For more information about LFD in general, please see http://forum.configserver.com/viewtopic.php?f=6&t=2059
There are some LFD-specific configurations for CSF that you can take advantage of.
Whitelisting in LFD by default
If you always want to whitelist IP's in csf.allow instead of having to manually add them to csf.ignore, you can enable the option IGNORE_ALLOW in csf.conf. Make sure you restart both CSF and LFD after making this change.
Adjusting the block failure threshold
To view LFD's settings for when it is triggered, you need to search csf.conf for the specific flags for that specific service. For instance, if you want to modify the maximum number of attempts for SSH, you want LF_SSHD. If you want to alter this value for FTP, you want LF_FTPD, etc.
LFD Process Tracking Ignore List
1. If you're seeing spamd or any other processes being reported by LFD and you want to ignore it, the following can be added to /etc/csf/csf.pignore
cmd:spamd child
Then restart CSF and LFD.
2. If you're seeing awstats.pl being reported and want to ignore it, the following can be added to /etc/csf/csf.pignore:
pcmd:/usr/local/cpanel/3rdparty/bin/awstats\.pl.* pcmd:/usr/local/cpanel/base/awstats\.pl.*
Then restart CSF and LFD.
3. If you're seeing mailman being reported and want to ignore it, the following can be added to /etc/csf/csf.pignore:
pcmd:/usr/local/cpanel/3rdparty/bin/python /usr/local/cpanel/3rdparty/mailman/bin/qrunner.* pcmd:/usr/local/cpanel/3rdparty/bin/python /usr/local/cpanel/3rdparty/mailman/bin/mailmanctl.*
Then restart CSF and LFD.
4. If you're seeing (deleted) processes being reported then you need to read the information provided in csf.conf for the PT_DELETED option. Currently this reads:
# lfd will report processes, even if they're listed in csf.pignore, if they're # tagged as (deleted) by Linux. This information is provided in Linux under # /proc/PID/exe. A (deleted) process is one that is running a binary that has # the inode for the file removed from the file system directory. This usually # happens when the binary has been replaced due to an upgrade for it by the OS # vendor or another third party (e.g. cPanel). You need to investigate whether # this is indeed the case to be sure that the original binary has not been # replaced by a rootkit or is running an exploit. # # To stop lfd reporting such process you need to restart the daemon to which it # belongs and therefore run the process using the replacement binary (presuming # one exists). This will normally mean running the associated startup script in # /etc/init.d/ # # If you don't want lfd to report deleted binary processes, set to 0 PT_DELETED = "1"
If, for example, you still want to ignore pure-ftpd deleted executable reports, the following can be added to csf.pignore:
pexe:/usr/sbin/pure-ftpd.*
or, if you want to ignore deleted executable processes, set the following in csf.conf:
PT_DELETED = "0"
In either case, restart CSF and LFD after making any changes.
However, be aware that deleted executable file names will become more corrupted the longer they are left running, so even the pure-ftpd part of the name may no longer match over time. This is a symptom of the Linux file system and the way Linux handles processes that are running executables that no longer exist at the inode they originally ran from, this is simply what lfd is reporting.
Troubleshooting
CSF Booleans versus Ranges
Some values in csf.conf are not Boolean 1's and 0's; they are ranges: "0" being zero seconds and "86400" one day. If you restart CSF and see messages similar to the following:
*WARNING* LF_SPAMHAUS sanity check. LF_SPAMHAUS = 1. Recommended range: 0|3600-604800 (Default: 0) *WARNING* LF_BOGON sanity check. LF_BOGON = 1. Recommended range: 0|3600-604800 (Default: 0) *WARNING* LF_DSHIELD sanity check. LF_DSHIELD = 1. Recommended range: 0|3600-604800 (Default: 0)
then you have made this mistake. All the values listed above as noted in csf.conf are intervals between loading new copies of various blacklists. Be aware!