To configure the CSF, you just edit the content file csf in folder/etc/csf
nano/etc/csf/csf.conf
Then reload the CSF in order to apply the changes:
CSF-r
Installing CSF Firewall
Step 1: Configure the ports
First let’s define what port you will use and close all the remaining to augment the Security server.
By default, the port is open:
TCP_IN = “20, 21, 22, 25, 53, 80, 110, 143, 443, 465.587 .993 .995”
TCP_OUT = “20, 21, 22, 25, 53, 80.110 .113 .443”
UDP_IN = “20, 21.53”
UDP_OUT = “20, 21, 53.113 .123”
List service is using the port on:
Port 20: FTP data transfer
Port 21 FTP control
Port 22: Secure shell (SSH)
Port 25: Simple mail transfer protocol (SMTP)
Port 53: Domain name system (DNS)
Port 80: Hypertext transfer protocol (HTTP)
Port 110: Post office protocol v3 (POP3)
Port 113: Authentication service/identification protocol
Port 123: Network time protocol (NTP)
Port 143: Internet message access protocol (IMAP)
Port 443: Hypertext transfer protocol over SSL/TLS (HTTPS)
Port 465: URL Rendesvous Directory for SSM (Cisco)
Port 587: E-mail message submission (SMTP)
Port 993: Internet message access protocol over SSL (IMAPS)
Port 995: Post office protocol 3 over TLS/SSL (POP3S)
Once you’ve understood the meaning and then, please select the port need only. Below is the configuration of the port you need to open when using the service:
-On all servers:
TCP_IN: 22.53
TCP_OUT: 22 80.113, 53, .443
UPD_IN: 53
UPD_OUT: 53.113 .123
-Apache/Nginx:
TCP_IN: 80.443
If not using HTTPS can remove port 443
-FTP server:
TCP_IN: 20.21
TCP_OUT: 20.21
UPD_IN: 20.21
UPD_OUT: 20.21
-Mail server:
TCP_IN: 25.110 .143 .587 .993 .995
TCP_OUT: 25.110
MySQL-server (if you need remote access)
TCP_IN: 3306
TCP_OUT: 3306
Note: If you are using IPv6, need to configure TCP6_IN, TCP6_OUT, UPD6_IN, and UPD6_OUT are similar to the IPv4 port. Further reference list of TCP and UDP port on the wiki.
Step 2: Configure
Besides use port, CSF has a lot more options in the configuration file. Some common options you should know:
ICMP_IN allow the ping to your server, set = 0 to reject this request.
ICMP_IN_LIMIT limits the number of ping request come from one IP address in the given time. Usually you do not need to modify this default value (1/s)
DENY_IP_LIMIT limits the number of IP was block by CSF, if IP number exceeds this limit, then the old IP will unblock. Should keep the number just right by if you store too IP can decrease system performance.
DENY_TEMP_IP_LIMIT is the same as above, but for the interim IP.
LF_DAEMON error detection enabled login.
PACKET_FILTER filter invalid packets.
SYNFLOOD, SUNFLOOD_RATE and SYNFLOOD_BURST activate protection against SYN flood attacks.
CONNLIMIT limits the number of consecutive connection on port 1. For example:
CONNLIMIT = “22; 5; 443 20;”
allow a maximum of 5 consecutive connection to port 22 and 20 connections to port 443
PORTFLOOD limits the number of connections in each time period on 1 port. For example
PORTFLOOD = “22; tcp; 5; 250”
will limit the block IP addresses if as created more than 5 connections on port 22 using TCP within 250s. The block will be automatically deleted after later 250s since the last packet sent. You can add more port separated by commas
port1; protocol1; connection_count1; time1, time2 port2 protocol2; connection_count2;;
There are also a lot of other CSF parameters you can adjust Add. The default value is pretty good and could combat the flood attack, port scans or tune in to pass server.
If you wish, you can read the comments in the file/etc/csf/csf.conf or refer to the official guide from the CSF.
Finally, the changes to take effect you must restart the CSF with the command:
CSF-r
Leave a Reply