Security on
-----
Installing our new firewall
Here we go.
# cd /tmp/
# wget https://download.configserver.com/csf.tgz
# tar xzf csf.tgz
# cd csf/
Check if everything should be ready to run CSF / LFD:
# ./csftest.pl
If everything is OK you can install CSF / LFD.
# ./install.sh
Setting it up
Now configure your firewall. A good place to start are the man pages and this site. For a quick setup follow the steps below.
First make sure that management of the server is only possible from your WAN IP address.
# vi /etc/csf/csf.allow
Add:
101.222.140.3 # Your WAN IP
Then the configuration file is very big, it has a lot of commented text, but stripped down its still pretty huge. From top to bottom the changed lines:
TESTING = "0"
RESTRICT_SYSLOG = "3"
RESTRICT_SYSLOG_GROUP = "mysyslog"
RESTRICT_UI = "2"
AUTO_UPDATES = "0"
We’ll be making our own cron for automatic updates.
The below is important to understand. You will NOT put management ports (like 22 and 2222) in the allow sections. That is why we’ve allowed our WAN IP in the csf.allow file.
# Allow incoming TCP ports
TCP_IN = "80,443"
# Allow outgoing TCP ports
TCP_OUT = "25,80,443,587"
# Allow incoming UDP ports
UDP_IN = ""
# Allow outgoing UDP ports
UDP_OUT = "53,123"
Use the same settings for IPv6. Continuing:
SYSLOG_CHECK = "300"
LF_ALERT_TO = "email@yourdomain.com"
LF_ALERT_FROM = "email@yourdomain.com"
URLGET = "1"
LF_DIRWATCH = "0"
LF_DIRWATCH_DISABLE = "0"
LF_DIRWATCH_FILE = "0"
LF_INTEGRITY = "0"
PT_LIMIT = "0"
PT_USERMEM = "0"
PT_USERTIME = "0"
UI = "0"
LOGSCANNER = "0"
That should do it. Restart services and test your settings.
# csf -r
# systemctl restart csf
# systemctl restart lfd
Cron
Create a cron for automatic updates in /etc/cron.d/csfupdate. Contents:
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
# Automatic updates for CSF / LFD security and firewall
30 5 * * * root /usr/sbin/csf -u
there are two additions I want to make.
The first addition is a more granular and universal approach to the brute force mechanism (the LFD part, or Login Failure Deamon).
It’s pretty simple, just make these small adjustments.
Better LFD configuration
We have we brute force protection on all kind of services and the defaults are probably not all that great. With these settings we make things more transparent. You can of course move some settings around per server role.
In the /etc/csf/csf.conf at the Login Failure Blocking and Alerts section:
LF_TRIGGER = "0"
LF_TRIGGER_PERM = "1"
LF_SELECT = "0"
LF_EMAIL_ALERT = "1"
LF_SSHD = "5"
LF_SSHD_PERM = "1"
LF_FTPD = "10"
LF_FTPD_PERM = "1"
LF_SMTPAUTH = "10"
LF_SMTPAUTH_PERM = "1"
LF_EXIMSYNTAX = "10"
LF_EXIMSYNTAX_PERM = "1"
LF_POP3D = "10"
LF_POP3D_PERM = "1"
LF_IMAPD = "10"
LF_IMAPD_PERM = "1"
LF_HTACCESS = "10"
LF_HTACCESS_PERM = "1"
LF_MODSEC = "10"
LF_MODSEC_PERM = "1"
That is all!
LFD mail example
As said, not all attackes are being picked up by the LFD mechanism. We can work around it with regular expressions. This is not very easy to do, but with these examples you can come a long way. As a first example we want to block these attempts:
Feb 16 08:13:32 mail02 postfix/submission/smtpd[4312]: warning: unknown[83.219.76.26]: SASL PLAIN authentication failed:
First step is to look in which log the brute force attempts occurs. This log should be added to the bottom of the /etc/csf/csf.conf. In our case the mail.log.
CUSTOM1_LOG = "/var/log/mail.log"
You might notice that above this setting, other services are already looking at the exact same log. This does not matter. Just add this one as a custom log as well.
Next add your regular expression to the /usr/local/csf/bin/regex.custom.pm file.
# Permanently block an IP address that has 10 failed SASL login attempts
if (($globlogs{CUSTOM1_LOG} {$lgfile}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/submission\/smtpd\[\d+\]: warning:.*\[(\d+\.\d+\.\d+\.\d+)\]: SASL [A-Z]*? authentication failed/)) {
return ("Failed SASL login from",$1,"mysaslmatch","10","25,465,587","1");
}
This will permanently block an IP that has 10 failed SASL login attempts.
Restart CSF and LFD.
# csf -r
# systemctl restart csf lfd
As said, regular expression are not an easy task to setup. You can get a little bit of help with this site. Create your regular expression, paste in your error and see if it is a match.
LFD Nginx example
Block Nginx vulnerability scanners.
CUSTOM1_LOG = "/var/log/nginx/access.log"
Next add your regular expression to the /usr/local/csf/bin/regex.custom.pm file.
# NginX security rules trigger - 10 errors blocks for 24 hours
# Catch ip that attempts to access a URL that is forbidden by NginX rules
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /.*access forbidden by rule, client: (\S+).*/)) {
return ("NGINX Security rule triggered from",$1,"nginx_security","10","80,443","86400");
}
# NginX 404 errors - 10 errors blocks for 24 hours
# Catch ip that accesses non-existant files and directories
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /.*No such file or directory\), client: (\S+),.*/)) {
return ("NGINX Security rule triggered from",$1,"nginx_404s","10","80,443","86400");
}
Restart CSF and LFD.
# csf -r
# systemctl restart csf lfd
When you’re adding multiple custom logs, be sure to use the correct {CUSTOM1_LOG} in your expression.
---