Firewall: ConfigServer Security & Firewall(CSF)
CSF - ConfigServer Security & Firewall
安裝 CSF
yum install wget vim perl-libwww-perl.noarch perl-Time-HiRes cd /usr/src/ wget https://download.configserver.com/csf.tgz tar -xzf csf.tgz cd csf sh install .sh
輸出
...
...
‘csf/jquery.min.js’ -> ‘webmin/csf/images/jquery.min.js’
‘csf/LICENSE.txt’ -> ‘webmin/csf/images/LICENSE.txt’
‘csf/loader.gif’ -> ‘webmin/csf/images/loader.gif’
‘/etc/csf/csfwebmin.tgz’ -> ‘/usr/local/csf/csfwebmin.tgz’
Installation Completed
測試指令
cd /usr/local/csf/bin/ perl csftest.pl
輸出
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK
RESULT: csf should function on this server
設定 CSF
Stop the firewalld
systemctl stop firewalld systemctl disable firewalld
cd /etc/csf/ vim csf.conf
將 TESTING 改成 0,以及確定 TCP_IN 有包含到實際 SSH 的通訊埠。
...
TESTING = "0"
...
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"
啟動 CSF & LFD
systemctl start csf systemctl start lfd systemctl enable csf systemctl enable lfd
CSF 基本指令
列出目前的安全規則
csf -l
關閉所有規則
csf -f
啟動所有規則
csf -s
重新載入規則設定
csf -r
新增 IP 至白名單(csf.allow)
csf -a 192.168.1.109
從白名單移除 IP
csf -ar 192.168.1.109
新增 IP 至黑名單(csf.deny)
csf -d 192.168.1.109
從黑名單移除 IP
csf -dr 192.168.1.109
移除黑名單的所有內容
csf -df