Page last modified 17:05, 29 Nov 2016 by alang

Firewall: ConfigServer Security & Firewall(CSF)

內容表格

1. 安裝 CSF
2. 設定 CSF
3. CSF 基本指令
4. 客制化規則
5. Q & A
6. 參考連結

版本為 01:52, 21 Feb 2025

返回到版本存檔.

查閱目前版本

CSF - ConfigServer Security & Firewall

用 perl 開發的 scripts，基於 iptables 做系統防護。

官網首頁：https://configserver.com/index.html

系統環境：CentOS 7.2

安裝 CSF

yum install wget vim perl-libwww-perl.noarch perl-Time-HiRes unzip bind-utils

cd /usr/src/
wget https://download.configserver.com/csf.tgz

tar -xzf csf.tgz
cd csf
sh install .sh

輸出

...
...
‘csf/jquery.min.js’ -> ‘webmin/csf/images/jquery.min.js’
‘csf/LICENSE.txt’ -> ‘webmin/csf/images/LICENSE.txt’
‘csf/loader.gif’ -> ‘webmin/csf/images/loader.gif’
‘/etc/csf/csfwebmin.tgz’ -> ‘/usr/local/csf/csfwebmin.tgz’

Installation Completed

測試指令

cd /usr/local/csf/bin/
perl csftest.pl

輸出

Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

RESULT: csf should function on this server

設定 CSF

Stop the firewalld

systemctl stop firewalld
systemctl disable firewalld

cd /etc/csf/
vim csf.conf

將 TESTING 改成 0
確定 TCP_IN 有包含到實際 SSH 的通訊埠與要開放的通訊埠
SSH 超過 5 次登入失敗，就被封鎖 IP 3600 秒；若要永久封鎖，時間改成 1

...
TESTING = "0"

...

RESTRICT_SYSLOG = "3"
...
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"

...

LF_SSHD = "5"
LF_SSHD_PERM = "3600"

啟動 CSF & LFD

systemctl start csf
systemctl start lfd

systemctl enable csf
systemctl enable lfd

CSF 基本指令

列出目前的安全規則

csf -l

關閉所有規則

csf -f

啟動所有規則

csf -s

重新載入規則設定

csf -r

新增 IP 至白名單（csf.allow）

csf -a 192.168.1.109

從白名單移除 IP

csf -ar 192.168.1.109

新增 IP 至黑名單（csf.deny）

csf -d 192.168.1.109

從黑名單移除 IP

csf -dr 192.168.1.109

移除黑名單的所有內容

csf -df

客制化規則

csfpre.sh：啟動 CSF 前執行
csfpost.sh : 啟動 CSF 後執行

NOTE：這兩個檔案可以放在 /etc/csf 或 /usr/local/csf/bin 目錄內。

/etc/csf/csfpost.sh：
假設情境：在 csf.conf 不開放 80 & 443，改用 white-ip.lst 控制哪些白名單可以存取。

reference to undefined name 'syntax' Exception of type 'MindTouch.Deki.Script.Runtime.DekiScriptUndefinedNameException' was thrown. (click for details)

Callstack:
    at User:Alang/IT_專案工作/Firewall:_ConfigServer_Security_&_Firewall(CSF)

MindTouch.Deki.Script.Runtime.DekiScriptUndefinedNameException: reference to undefined name 'syntax' Exception of type 'MindTouch.Deki.Script.Runtime.DekiScriptUndefinedNameException' was thrown.
  at MindTouch.Deki.Script.Compiler.DekiScriptExpressionEvaluation.Visit (MindTouch.Deki.Script.Expr.DekiScriptVar expr, DekiScriptExpressionEvaluationState state) [0x00000] in <filename unknown>:0 
  at MindTouch.Deki.Script.Expr.DekiScriptVar.VisitWith[DekiScriptExpressionEvaluationState,Range] (IDekiScriptExpressionVisitor`2 visitor, DekiScriptExpressionEvaluationState state) [0x00000] in <filename unknown>:0 
  at MindTouch.Deki.Script.Compiler.DekiScriptExpressionEvaluation.Evaluate (MindTouch.Deki.Script.Expr.DekiScriptAccess expr, DekiScriptExpressionEvaluationState state, Boolean evaluateProperties) [0x00000] in <filename unknown>:0 
  at MindTouch.Deki.Script.Compiler.DekiScriptExpressionEvaluation.Visit (MindTouch.Deki.Script.Expr.DekiScriptAccess expr, DekiScriptExpressionEvaluationState state) [0x00000] in <filename unknown>:0 
  at MindTouch.Deki.Script.Expr.DekiScriptAccess.VisitWith[DekiScriptExpressionEvaluationState,Range] (IDekiScriptExpressionVisitor`2 visitor, DekiScriptExpressionEvaluationState state) [0x00000] in <filename unknown>:0 
  at MindTouch.Deki.Script.Compiler.DekiScriptExpressionEvaluation.Visit (MindTouch.Deki.Script.Expr.DekiScriptCall expr, DekiScriptExpressionEvaluationState state) [0x00000] in <filename unknown>:0 
  at MindTouch.Deki.Script.Expr.DekiScriptCall.VisitWith[DekiScriptExpressionEvaluationState,Range] (IDekiScriptExpressionVisitor`2 visitor, DekiScriptExpressionEvaluationState state) [0x00000] in <filename unknown>:0 
  at MindTouch.Deki.Script.Compiler.DekiScriptExpressionEvaluation.Visit (MindTouch.Deki.Script.Expr.DekiScriptSequence expr, DekiScriptExpressionEvaluationState state) [0x00000] in <filename unknown>:0 
  at MindTouch.Deki.Script.Expr.DekiScriptSequence.VisitWith[DekiScriptExpressionEvaluationState,Range] (IDekiScriptExpressionVisitor`2 visitor, DekiScriptExpressionEvaluationState state) [0x00000] in <filename unknown>:0 
  at MindTouch.Deki.Script.Compiler.DekiScriptExpressionEvaluation.Visit (MindTouch.Deki.Script.Expr.DekiScriptReturnScope expr, DekiScriptExpressionEvaluationState state) [0x00000] in <filename unknown>:0

Q & A

Q: 執行 csf -r 出現錯誤

*WARNING* Binary location for [UNZIP] [/usr/bin/unzip] in /etc/csf/csf.conf is either incorrect, is not installed or is not executable

A: yum install unzip

Q: 執行 csf -r 出現錯誤

*WARNING* Binary location for [HOST] [/usr/bin/host] in /etc/csf/csf.conf is either incorrect, is not installed or is not executable

A: yum install bind-utils

Firewall: ConfigServer Security & Firewall(CSF)

內容表格

安裝 CSF

設定 CSF

CSF 基本指令

客制化規則

Q & A

參考連結

內容表格