已登入: Logged in as: 登入
搜尋:
Page last modified 14:55, 25 Nov 2016 by alang

Firewall: ConfigServer Security & Firewall(CSF)

    版本為 02:48, 14 Sep 2024

    到這個版本。

    返回到 版本存檔.

    查閱目前版本

    CSF - ConfigServer Security & Firewall

    用 perl 開發的 scripts,基於 iptables 做系統防護。

    官網首頁:https://configserver.com/index.html

    系統環境:CentOS 7.2

    安裝 CSF

    yum install wget vim perl-libwww-perl.noarch perl-Time-HiRes unzip bind-utils

cd /usr/src/
wget https://download.configserver.com/csf.tgz

tar -xzf csf.tgz
cd csf
sh install .sh

    輸出


    ...
    ...
    ‘csf/jquery.min.js’ -> ‘webmin/csf/images/jquery.min.js’
    ‘csf/LICENSE.txt’ -> ‘webmin/csf/images/LICENSE.txt’
    ‘csf/loader.gif’ -> ‘webmin/csf/images/loader.gif’
    ‘/etc/csf/csfwebmin.tgz’ -> ‘/usr/local/csf/csfwebmin.tgz’

    Installation Completed

    測試指令

    cd /usr/local/csf/bin/
perl csftest.pl

    輸出

    Testing ip_tables/iptable_filter...OK
    Testing ipt_LOG...OK
    Testing ipt_multiport/xt_multiport...OK
    Testing ipt_REJECT...OK
    Testing ipt_state/xt_state...OK
    Testing ipt_limit/xt_limit...OK
    Testing ipt_recent...OK
    Testing xt_connlimit...OK
    Testing ipt_owner/xt_owner...OK
    Testing iptable_nat/ipt_REDIRECT...OK
    Testing iptable_nat/ipt_DNAT...OK

    RESULT: csf should function on this server

    設定 CSF

    Stop the firewalld

    systemctl stop firewalld
systemctl disable firewalld

    cd /etc/csf/
vim csf.conf
    • 將 TESTING 改成 0
    • 確定 TCP_IN 有包含到實際 SSH 的通訊埠與要開放的通訊埠
    • SSH 超過 5 次登入失敗,就被封鎖 IP 3600 秒;若要永久封鎖,時間改成 1

    ...
    TESTING = "0"

    ...

    RESTRICT_SYSLOG = "3"
    ...
    TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"

    ...

    LF_SSHD = "5"
    LF_SSHD_PERM = "3600"

    啟動 CSF & LFD

    systemctl start csf
systemctl start lfd

systemctl enable csf
systemctl enable lfd

    CSF 基本指令

    列出目前的安全規則

    csf -l

    關閉所有規則

    csf -f

    啟動所有規則

    csf -s

    重新載入規則設定

    csf -r

    新增 IP 至白名單(csf.allow)

    csf -a 192.168.1.109

    從白名單移除 IP

    csf -ar 192.168.1.109

    新增 IP 至黑名單(csf.deny)

    csf -d 192.168.1.109

    從黑名單移除 IP

    csf -dr 192.168.1.109

    移除黑名單的所有內容

    csf -df

    Q & A

    Q: 執行 csf -r 出現錯誤

    *WARNING* Binary location for [UNZIP] [/usr/bin/unzip] in /etc/csf/csf.conf is either incorrect, is not installed or is not executable

    A: yum install unzip

    Q: 執行 csf -r 出現錯誤

    *WARNING* Binary location for [HOST] [/usr/bin/host] in /etc/csf/csf.conf is either incorrect, is not installed or is not executable

    A: yum install bind-utils

    Powered by MindTouch Core