The first thing on your mind when setting up a new Linux server (dedicated or VPS) is how you can increase security. One of the best tools in your bag of tricks should be the CSF (ConfigServer) LFD (Login Failure Daemon) firewall.
CSF/LFD has their own script license, making it free of charge with no warranty or support.
Before installing CSF, please disable other security applications such as denyhosts, fail2ban or cPanel’s cPHulk.
Installation is a breeze and consists of the following commands:
|
1 2 3 4 5 6 |
mkdir /home/tmp cd /home/tmp/ wget http://www.configserver.com/free/csf.tgz tar zxvf csf.tgz cd csf ./install.sh |
Make sure there are no errors at the end there, then run this command:
|
1 |
perl /etc/csf/csftest.pl |
This will “test whether the required iptables modules are functioning on the server. Don’t worry if it cannot run all the features, so long as the script doesn’t report any FATAL errors.”
Next, let’s make sure we have all of the IPs you’ll be connecting from whitelisted. Edit /etc/csf/csf.allow and /etc/csf/csf.ignore and add them.
If you are using cPanel, DirectAdmin or Webmin you’ll have a nice GUI now for CSF. Otherwise, you’ll want to add your IP address to /etc/csf/ui/ui.allow to allow connection to the included GUI for servers without control panels.
Your csf/lfd is installed, but is in testing mode. If you think you’ve done everything correctly, enable the firewall and then tail it’s messages log:
Edit: /etc/csf/csf.conf
Change
|
1 |
TESTING = "1" |
to:
|
1 |
TESTING = "0" |
Then start it with:
|
1 |
service csf start && service lfd start |
Then tail the messages file:
|
1 |
tail -f /var/log/messages |
(and look for it blocking ip addresses that you don’t want it to block..)
If you need to quick shut down csf/lfd:
|
1 |
service csf stop && service lfd stop |
If you’re happy with it, get it to start automatically.
|
1 |
chkconfig csf on && chkconfig lfd on |
If you are using a control panel like cPanel/WHM, Webmin or Directadmin you can now go into the GUI and play around with it a bit.
Next: Server security check
Enter the GUI for csf (https://www.yourserver.com:PORT OR find the CSF GUI through your normal control panel) and click on the “Check Server Security” button. Look over the list and use their suggestions to make the server as secure as possible.
If you don’t see the “View LFD Statistics” button, install perl-GDGraph3d
|
1 |
yum install perl-GDGraph3d |
Next: Firewall Security Level
All signs probably point to a successful installation if you’ve gotten this far. At this point, change the default firewall security level to Medium or High. (by default, it’s Low).
Restart csf (from the gui if you want) and you’re done!
Now that you have some time, take that time and read the full README file on their site: http://configserver.com/free/csf/readme.txt
If you need assistance with this, I’d be more than happy to install it for you. You can contact me through my Linux support site.
Related posts from Linux Brigade!
LFD: Excessive resource usage If you run the CSF/LFD firewall on your server then you’ve no doubt seen the emails complaining about high resource usage for various accounts. This small tutorial will show you how to […]- Enable statistics in Configserver Firewall (CSF) I’ve noticed recently that a new install of CSF won’t have statistics enabled by default. Here’s how to enable them…
Edit your /etc/csf/csf.conf file and change:
ST_ENABLE = […]
- cPanel / CSF: Fix 500 internal server error or 404 for the CSF GUI I’ve run into this a couple times – where I’ll spin up a CentOS/cPanel machine, then run a cpupdate (/scripts/upcp) to get cpanel up to date. I’ll then go into the configserver firewall […]
CentOS 7 / RHEL 7 – Open ports One of the most common things I do on Linux machines is open ports to test software in a development environment. In the past, that meant trying to remember (and Googling) cryptic […]
Untangle your network Whether you’re the admin of your office network or your home network (or both), it’s always a good idea to have security and order in place. Untangle is software that you can install as […]
Can I ask why denyhosts, fail2ban or cPanel’s cPHulk need to be disabled/uninstalled first?
Sorry – I should have laid out that it is totally up to the admin of the server, but I wouldn’t recommend running any other security suite that may try and write iptables rules while running CSF.
denyhosts doesn’t use iptables (it uses /etc/allow and /etc/deny), but why have it running if csf is a better solution?
fail2ban does update iptables rules
cPHulk uses its own database to block logins and some like to use them side by side, but I see it as unneeded overhead and would rather only have one place to allow/block access to the server.
This is from the CSF install text:
thank you very much sir noe i can adminstrate my linux seve properly
Next, let’s make sure we have all of the IPs you’ll be connecting from whitelisted. Edit /etc/csf/csf.allow and /etc/csf/csf.ignore and add them.
Hey, I am totally new to the whole Linux thing so pardon me for maybe some stupid questions.
I read that Linux more or less is so secure that it actually isn’t necessary to install a firewall. What do you think about this?
On a personal computer maybe you don’t need one but on a server you definitely need a firewall; years back I was surprised seeing hundreds of attempts to bruteforce my servers within just a few days but thanks to firewall & changing ssh port away from the default has deny them access to my servers, I hope haha