Tag: csf

  • How to whitelist a hostname in CSF firewall

    How to whitelist a hostname in CSF firewall

    Firewalls usually allow or block IP addresses. If you need to allow a hostname, you need to find the IP address and white list the IP address. If you use dynamic DNS services like noip, dyndns, the IP address of your hostname changes when your internet provider assigns you a new IP address.

    ConfigServer Security and Firewall (CSF) supports dynamic DNS. This feature can be used to whitelist normal hostnames too.

    To allow a hostname, login to your server using SSH.

    Edit file

    vi /etc/csf/csf.dyndns

    In this file, you can add your hostname to the whitelist.

    In the CSF config file, you need to make the following changes.

    vi /etc/csf/csf.conf

    Set value for DYNDNS

    DYNDNS = "600"

    This will tell the CSF firewall to check for the IP address of whitelisted hostnames every 10 minutes. You can change this as needed.

    DYNDNS_IGNORE = "1"

    By setting the value of DYNDNS_IGNORE to 1, the CSF firewall will never block these IP addresses even if there are failed login attempts or too many connections.

    restart lfd

    systemctl restart lfd

    Back to CSF Firewall

  • Whitelisting an IP Address in CSF Firewall

    Whitelisting an IP Address in CSF Firewall

    There are 3 ways to whitelist an IP address in ConfigServer Security & Firewall (csf). Whitelisting an IP address will allow the IP address to access all ports on the server including any closed ports. For example, you can block SSH port 22 on the server. Then add your IP address to the whitelist, now you will be able to access SSH from your IP address.

    Using WHM

    Login to WHM as user root. Then go to WHM > Plugins > ConfigServer Security & Firewall.

    whitelist IP in csf

    On the text box right side of the “Quick Allow” button, enter the IP address you need to whitelist. Then click on the “Quick Allow” button.

    The Quick Deny option below can be used to block an IP address from accessing the server.

    Quick Ignore allows you to ignore any IP address. This is the same as Quick ALlow. The difference is if you whitelist an IP address using the Quick Allow option and if the IP fails some ModSecurity rules or makes several failed logins, it gets blocked. If you ignored an IP address, it will never get blocked by ModSecurity or lfd.

    Using csf command

    If you are logged in to SSH or WHM > Terminal, you can run the following command to whitelist an IP address.

    csf -a IP_ADDR_HERE

    IP address can be a single IP address or IP range in CIDR format.

    To block an IP, use

    csf -d IP_ADDR_HERE

    Manually editing csf.allow

    To allow an IP or IP range (CIDR format), you can edit the file

    vi /etc/csf/csf.allow

    If you need to Ignore an IP address, then add IP to file

    vi /etc/csf/csf.ignore

    IPs added to csf.ignore will never get banned due to LDF or ModSecurity failures. Ips in csf.allow can be blocked by ModSecurity or lfd.

    Add your IP to the file. Then restart csf firewall.

    csf -r

    See csf

  • Disable cPHulk Brute Force Protection

    Disable cPHulk Brute Force Protection

    Cpanel Servers have a bruceforce attack detection module called cPHulk Brute Force Protection. In case your server have another bruteforce detection software like ConfigServer Security & Firewall, you may need to disable cPHulk Brute Force Protection as you don’t need 2 software for same purpose running on the server.

    To disable cPHulk Brute Force Protection, run

    /usr/local/cpanel/bin/cphulk_pam_ctl --disable

    You can also use

    https://SERVER_IP:2087/scripts2/doautofixer?autofix=disable_cphulkd

    Or login to WHM, Go to 

    WHM Home > Security Center > cPHulk Brute Force Protection

    click OFF button to disable cPHulk.

    disable cPHulk

  • csf error path to iptables is either not set or incorrect

    Whem install csf firewall on Ubuntu 20.04, i get following error

    root@ok:~# csf
*Error* The path to iptables is either not set or incorrect for IPTABLES [/usr/sbin/ip6tables] in /etc/csf/csf.conf at /usr/local/csf/lib/ConfigServer/URLGet.pm line 26.
Compilation failed in require at /usr/sbin/csf line 21.
BEGIN failed--compilation aborted at /usr/sbin/csf line 21.
root@ok:~#

    This is because path for iptables is changed in Ubuntu 20.04. To fix the error edit csf.conf

    vi /etc/csf/csf.conf

    Find

    IPTABLES = "/sbin/iptables"
IPTABLES_SAVE = "/sbin/iptables-save"
IPTABLES_RESTORE = "/sbin/iptables-restore"
IP6TABLES = "/sbin/ip6tables"
IP6TABLES_SAVE = "/sbin/ip6tables-save"
IP6TABLES_RESTORE = "/sbin/ip6tables-restore"

    Replace with

    IPTABLES = "/usr/sbin/iptables"
IPTABLES_SAVE = "/usr/sbin/iptables-save"
IPTABLES_RESTORE = "/usr/sbin/iptables-restore"
IP6TABLES = "/usr/sbin/ip6tables"
IP6TABLES_SAVE = "/usr/sbin/ip6tables-save"
IP6TABLES_RESTORE = "/usr/sbin/ip6tables-restore"

    Now restart csf with csf -r, it will work.

    csf -r
systemctl restart lfd

    See csf

  • Install CSF Firewall

    For non cpanel server, install perl modules

    yum install -y perl perl-libwww-perl perl-Time-HiRes unzip bind-utils

    On Ubuntu

    apt-get install libwww-perl

    Once we have requirments installed, install csf with

    cd /usr/local/src
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

    sed -i "s/RESTRICT_SYSLOG = \"0\"/RESTRICT_SYSLOG = \"1\"/g" /etc/csf/csf.conf

    See csf

  • Enable UI in CSF Firewall on CentOS

    Enable UI in CSF Firewall on CentOS

    CSF Firewall UI

    CSF Firewall come with standalone UI. This is disabled by default. On CentOS, install following requirments

    yum install perl-IO-Socket-SSL perl-Net-SSLeay perl-Net-LibIDN  perl-IO-Socket-INET6 perl-Socket6

    Edit CSF configuration file

    vi /etc/csf/csf.conf

    Find

    UI = "0"

    Replace with

    UI = "1"

    Change following settins as needed.

    UI_PORT = "6666"
UI_USER = "username"
UI_PASS = "password"

    By Default, only whitelisted IP can access the UI, to white list your IP, run

    echo "YOUR_IP_ADDR" >> /etc/csf/ui/ui.allow

    If you want to allow CSF UI from all IP address, then set UI_ALLOW to 0 in csf.conf

    UI_ALLOW = "0"

    CSF use a self signed SSL, if you have an SSL cert, you can use it. SSL certificate is avaiable in folder

    /etc/csf/ui/

    To use LetsEncrypt Free SSL certificate for CSF UI, i set symlink to ssl cert.

    cd /etc/csf/ui
mv server.key server.key.old
mv server.crt server.crt.old
ln -s /etc/letsencrypt/live/DOMAIN/fullchain.pem server.crt
ln -s /etc/letsencrypt/live/DOMAIN/privkey.pem server.key

    Now restart CSF and LDF

    systemctl restart lfd
systemctl restart csf

    You will see CSF UI running on port 6666.

    [root@grupo conf.d]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:6666            0.0.0.0:*               LISTEN      20605/lfd UI        
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN      23918/mysqld        
tcp        0      0 0.0.0.0:10000           0.0.0.0:*               LISTEN      2203/perl           
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1275/master         
tcp        0      0 0.0.0.0:3333            0.0.0.0:*               LISTEN      19061/sshd          
tcp6       0      0 :::80                   :::*                    LISTEN      19810/httpd         
tcp6       0      0 ::1:25                  :::*                    LISTEN      1275/master         
tcp6       0      0 :::443                  :::*                    LISTEN      19810/httpd         
tcp6       0      0 :::3333                 :::*                    LISTEN      19061/sshd          
[root@grupo conf.d]#
  • Unban an IP from CSF Firewall

    Unban an IP from CSF Firewall

    To unban an IP from CSF firewall, run

    csf -dr IP_ADDR

    Here i have an IP blocked in firewall.

    [root@server22 ~]# iptables -L -n | grep 13.224.29.193
DROP       all  --  13.224.29.193        0.0.0.0/0           
LOGDROPOUT  all  --  0.0.0.0/0            13.224.29.193       
[root@server22 ~]#

    To see if CSF is blocking the IP, run

    csf -g IP_ADDR

    Example

    This command also give reason for why the IP is blocked.

    Lets unban the IP address with command

    csf -dr IP_ADDR

    Now IP should not be listed in iptables, verify it with

    iptables -L -n | grep IP_ADDR

    csf

  • ConfigServer Security and Firewall (CSF)

    How to use CSF Firewall

    Firewall Configuration

    Csf Requirments

    On CentOS/RHEL

    yum install -y perl perl-libwww-perl perl-Time-HiRes unzip bind-utils

    On Debian/Ubuntu

    apt -y install libwww-perl

    Install CSF firewall

    cd /usr/local/src
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

    Configure some basic settings for CSF

    /bin/sed -i "s/RESTRICT_SYSLOG\s*=.*$/RESTRICT_SYSLOG = \"3\"/g" /etc/csf/csf.conf
/bin/sed -i "s/SYSLOG_CHECK\s*=.*$/SYSLOG_CHECK = \"3600\"/g" /etc/csf/csf.conf
/bin/sed -i "s/SMTP_BLOCK\s*=.*/SMTP_BLOCK = \"1\"/g" /etc/csf/csf.conf
/bin/sed -i "s/LF_GLOBAL\s*=.*$/LF_GLOBAL = \"1800\"/g" /etc/csf/csf.conf
/bin/sed -i "s/LF_SCRIPT_ALERT\s*=.*$/LF_SCRIPT_ALERT = \"1\"/g" /etc/csf/csf.conf
/bin/sed -i "s/PT_ALL_USERS\s*=.*$/PT_ALL_USERS = \"1\"/g" /etc/csf/csf.conf
/bin/sed -i "s/TESTING = \"1\"/TESTING = \"0\"/g" /etc/csf/csf.conf

    Restart csf

    csf -r

    Block an IP

    csf -d IP_ADD

    Whitelist an IP

    csf -a IP_ADD