Configuring CSF

Need a hand, contact me @ [email protected].. prefer hangout ?

CSF is the commonly used firewall in cpanel server’s. CSF is also called as config server firewall. CSF provide better security for your server and provides an easy management console to manage firewall.CSF also comes with the LFD (Login Failure Daemon) which watches user activity for excessive login failures which are commonly seen during brute force attacks.

Please refer the below URL for the steps to install CSF On a server:


Installation/Upgradation of IPTABLES and CSF

Please refer the below snippet for the commonly used CSF commands:


csf -s ----To start csf
csf -l ----For status
csf -e ----To enable csf
csf -x ----To disable or stop csf
csf -r ----To restart CSF
csf -v ----For version
csf -uf----For force updating csf
csf -g IP ADDRESS-- TO check whether IP is blocked or not
csf -d IP ADDRESS ---to permanently block an IP
csf -td IP ADDRESS ---to temporary block an IP
csf -dr IP ADDRESS --To remove permanent IP block
csf -tr IP ADDRESS --To remove temporary IP block

Please follow the below step to check the reason of previous block


grep IP ADDRESS /var/log/lfd.log

Also, CSF can be used to protect the server from a small scale DDOS attack by using the parameter LF_MODSEC, SYNFLOOD, PORTFLOOD and CT_LIMIT. Please refer below for more details:

LF_MODSEC
=========

We can block the connections to the domain using modsecurity. CSF is connected to modsecurity so that if we write rule to block a domain, the IP from whcih connections to the domain are made will be blocked. Since it is DDOS attack, there will be many IPs connecting to the server and blocking high number of IP addresses can cause load in the server and thus server can go down. In order to prevent that, you will have to first block the checking of modsecurity in lfd.

In /etc/csf/csf.conf, set the following:


LF_MODSEC = "0"

csf -r

Then, in the modsecurity configuration file, you can add the following:


SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "domain\.com"

PORTFLOOD
=========
PORTFLOOD is enabled in CSF if we are getting too many connections from an IP. Please refer the below snippet for a sample PORTFLOOD setting:


In /etc/csf/csf.conf, set the following:
PORTFLOOD = 80;tcp;80;5

Above setting will limit 100 connections in 5 sec to port 80 (tcp).

CT_LIMIT
=========

We can limit the incoming traffic on a server using CT_LIMIT. We can also use CT_LIMIT to limit the incoming traffic on a particular port. Please refer the below snippet for enabling CT_LIMIT:


In /etc/csf/csf.conf, set the following:
CT_LIMIT=150
CT_PORTS=80

With these settings, any IP address that makes more than 150 connections to the web site on the standard and/or secure ports will be blocked in the firewall. By default, that will be a temporary block for 30 minutes. The CT_BLOCK_TIME setting can extend the block period, and by toggling the CT_PERMANENT setting you can arrange for the IP addresses to be blocked permanently.

SYNFLOOD
========

A SYNflood attack is a DoS attack exploiting the TCP.

On a Linux server, you can quickly check for SYN packets by running this command over SSH:


netstat -an|awk '/tcp/ {print $6}'|sort|uniq -c

SYNFLOOD is disabled by default. If you are not receiving any sort of attack, there is no need to enable it. If you are expecting an attack, enable it and set the rules a bit strict, like


SYNFLOOD = “1?
SYNFLOOD_RATE = “30/s”
SYNFLOOD_BURST = “10?

i.e. if 30 connections are received from an IP/sec for 10 times, block it. Make sure don’t keep it too strict if you are not receiving an attack else it will generate false positives and will block legit connections.

If you need any further assistance contact me @ [email protected].. prefer hangout ?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.