Page last modified 22:28, 2 Jun 2018 by alang

User:alang > IT 專案工作 > Firewall: ConfigServer Security & Firewall(CSF)

Page Notifications Off

Firewall: ConfigServer Security & Firewall(CSF)

內容表格

1. 安裝 CSF
2. 設定 CSF
3. CSF 基本指令
4. 客制化規則
5. Q & A
6. 參考連結

CSF - ConfigServer Security & Firewall

用 perl 開發的 scripts，基於 iptables 做系統防護。

官網首頁：https://configserver.com/index.html

系統環境：CentOS 7.2

安裝 CSF

// CentOS 7
yum install wget vim perl-libwww-perl.noarch perl-Time-HiRes unzip bind-utils

// CentOS 5/6
yum install perl-libwww-perl wget vim

// Ubuntu 16.04
sudo apt-get install libgd-graph-perl libwww-perl

cd /usr/src/
wget https://download.configserver.com/csf.tgz

tar -xzf csf.tgz
cd csf
sh install.sh

輸出

...
...
‘csf/jquery.min.js’ -> ‘webmin/csf/images/jquery.min.js’
‘csf/LICENSE.txt’ -> ‘webmin/csf/images/LICENSE.txt’
‘csf/loader.gif’ -> ‘webmin/csf/images/loader.gif’
‘/etc/csf/csfwebmin.tgz’ -> ‘/usr/local/csf/csfwebmin.tgz’

Installation Completed

測試指令

cd /usr/local/csf/bin/
perl csftest.pl

輸出

Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

RESULT: csf should function on this server

設定 CSF

Stop the firewalld

// CentOS 7
systemctl stop firewalld
systemctl disable firewalld

// CentOS 6
chkconfig iptables off
service iptables stop

// Ubuntu 16.04
sudo ufw disable

cd /etc/csf/
vim csf.conf

將 TESTING 改成 0
確定 TCP_IN 有包含到實際 SSH 的通訊埠與要開放的通訊埠
SSH 超過 5 次登入失敗，就被封鎖 IP 3600 秒；若要永久封鎖，時間改成 1

...
TESTING = "0"

...

RESTRICT_SYSLOG = "3"
...
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"

...

LF_SSHD = "5"
LF_SSHD_PERM = "3600"

啟動 CSF & LFD

// CentOS 7
systemctl start csf
systemctl start lfd
systemctl enable csf
systemctl enable lfd

// CentOS 5/6
service csf start
service lfd start
chkconfig csf on
chkconfig lfd on

檢查狀態

iptables -L -nv 
出現許多規則表示 csf 啟用成功

ps -ef | grep lfd
顯示 lfd 程序表示 lfd 啟用成功

CSF 基本指令

列出目前的安全規則

csf -l

關閉所有規則

csf -f

啟動所有規則

csf -s

重新載入規則設定

csf -r

新增 IP 至白名單（csf.allow）

csf -a 192.168.1.109

從白名單移除 IP

csf -ar 192.168.1.109

新增 IP 至黑名單（csf.deny）

csf -d 192.168.1.109

從黑名單移除 IP

csf -dr 192.168.1.109

移除黑名單的所有內容

csf -df

忽略名單 (csf.ignore)
忽略的 IP 將不受 lfd 的監控

vi /etc/csf/csf.ignore

1.2.3.4
2.3.0.0/16

客制化規則

csfpre.sh：啟動 CSF 前執行
csfpost.sh : 啟動 CSF 後執行

NOTE：這兩個檔案可以放在 /etc/csf 或 /usr/local/csf/bin 目錄內。

/etc/csf/csfpost.sh：
假設情境：在 csf.conf 不開放 80 & 443，改用 white-ip.lst 控制哪些白名單可以存取。

reference to undefined name 'syntax' Exception of type 'MindTouch.Deki.Script.Runtime.DekiScriptUndefinedNameException' was thrown. (click for details)

Callstack:
    at User:Alang/IT_專案工作/Firewall:_ConfigServer_Security_&_Firewall(CSF)

MindTouch.Deki.Script.Runtime.DekiScriptUndefinedNameException: reference to undefined name 'syntax' Exception of type 'MindTouch.Deki.Script.Runtime.DekiScriptUndefinedNameException' was thrown.
  at MindTouch.Deki.Script.Compiler.DekiScriptExpressionEvaluation.Visit (MindTouch.Deki.Script.Expr.DekiScriptVar expr, DekiScriptExpressionEvaluationState state) [0x00000] in <filename unknown>:0 
  at MindTouch.Deki.Script.Expr.DekiScriptVar.VisitWith[DekiScriptExpressionEvaluationState,Range] (IDekiScriptExpressionVisitor`2 visitor, DekiScriptExpressionEvaluationState state) [0x00000] in <filename unknown>:0 
  at MindTouch.Deki.Script.Compiler.DekiScriptExpressionEvaluation.Evaluate (MindTouch.Deki.Script.Expr.DekiScriptAccess expr, DekiScriptExpressionEvaluationState state, Boolean evaluateProperties) [0x00000] in <filename unknown>:0 
  at MindTouch.Deki.Script.Compiler.DekiScriptExpressionEvaluation.Visit (MindTouch.Deki.Script.Expr.DekiScriptAccess expr, DekiScriptExpressionEvaluationState state) [0x00000] in <filename unknown>:0 
  at MindTouch.Deki.Script.Expr.DekiScriptAccess.VisitWith[DekiScriptExpressionEvaluationState,Range] (IDekiScriptExpressionVisitor`2 visitor, DekiScriptExpressionEvaluationState state) [0x00000] in <filename unknown>:0 
  at MindTouch.Deki.Script.Compiler.DekiScriptExpressionEvaluation.Visit (MindTouch.Deki.Script.Expr.DekiScriptCall expr, DekiScriptExpressionEvaluationState state) [0x00000] in <filename unknown>:0 
  at MindTouch.Deki.Script.Expr.DekiScriptCall.VisitWith[DekiScriptExpressionEvaluationState,Range] (IDekiScriptExpressionVisitor`2 visitor, DekiScriptExpressionEvaluationState state) [0x00000] in <filename unknown>:0 
  at MindTouch.Deki.Script.Compiler.DekiScriptExpressionEvaluation.Visit (MindTouch.Deki.Script.Expr.DekiScriptSequence expr, DekiScriptExpressionEvaluationState state) [0x00000] in <filename unknown>:0 
  at MindTouch.Deki.Script.Expr.DekiScriptSequence.VisitWith[DekiScriptExpressionEvaluationState,Range] (IDekiScriptExpressionVisitor`2 visitor, DekiScriptExpressionEvaluationState state) [0x00000] in <filename unknown>:0 
  at MindTouch.Deki.Script.Compiler.DekiScriptExpressionEvaluation.Visit (MindTouch.Deki.Script.Expr.DekiScriptReturnScope expr, DekiScriptExpressionEvaluationState state) [0x00000] in <filename unknown>:0

Q & A

Q: 啟動 lfd 出現錯誤

Main Process: Unable to send SENDMAIL alert via [/usr/sbin/sendmail]: No such file or directory at /usr/sbin/lfd line 4149

A: yum install sendmail

如果不想寄告警信，可以調整 csf.conf

LF_EMAIL_ALERT = "0"

Q: 執行 csf -r 出現錯誤

*Error* File does not exist: [/etc/crontab] at /usr/sbin/csf line 3307

A: yum install crontabs

Q: 執行 csf -r 出現錯誤

*WARNING* Binary location for [UNZIP] [/usr/bin/unzip] in /etc/csf/csf.conf is either incorrect, is not installed or is not executable

A: yum install unzip

Q: 執行 csf -r 出現錯誤

*WARNING* Binary location for [HOST] [/usr/bin/host] in /etc/csf/csf.conf is either incorrect, is not installed or is not executable

A: yum install bind-utils

參考連結

標籤 (Edit tags)

No tags

什麼連接到這裡

文件 0

附加檔案或者圖像

Images 0
No images to display in the gallery.

您必須登入才能發佈評論。