iptables Tips and Tricks: CSF ConfigurationPosted by Mark Ridlen in Development, Tips and Tricks
In our last “iptables Tips and Tricks” installment, we talked about Advanced Policy Firewall (APF) configuration, so it should come as no surprise that in this installment, we’re turning our attention to ConfigServer Security & Firewall (CSF). Before we get started, you should probably run through the list of warnings I include at the top of the APF blog post and make sure you have your Band-Aid ready in case you need it.
To get the ball rolling, we need to download CSF and install it on our server. In this post, we’re working with a CentOS 6.0 32-bit server, so our (root) terminal commands would look like this to download and install CSF:
$ wget http://www.configserver.com/free/csf.tgz #Download CSF using wget. $ tar zxvf csf.tgz #Unpack it. $ yum install perl-libwww-perl #Make sure perl modules are installed ... $ yum install perl-Time-HiRes #Otherwise it will generate an error. $ cd csf $ ./install.sh #Install CSF. #MAKE SURE YOU HAVE YOUR BAND-AID READY $ /etc/init.d/csf start #Start CSF. (Note: You can also use '$ service csf start')
Once you start CSF, you can see a list of the default rules that load at startup. CSF defaults to a DROP policy:
$ iptables -nL | grep policy Chain INPUT (policy DROP) Chain FORWARD (policy DROP) Chain OUTPUT (policy DROP)
Don’t ever run “
iptables -F” unless you want to lock yourself out. In fact, you might want to add “This server is running CSF – do not run ‘iptables -F’” to your
/etc/motd, just as a reminder/warning to others.
CSF loads on startup by default. This means that if you get locked out, a simple reboot probably won’t fix the problem. Runlevels 2, 3, 4, and 5 are all on:
$ chkconfig --list | grep csf csf 0:off 1:off 2:on 3:on 4:on 5:on 6:off
Some features of CSF will not work unless you have certain iptables modules installed. I believe they are installed by default in CentOS, but if you custom-built your iptables, they might not all be installed. Run this script to see if all modules are installed:
$ /etc/csf/csftest.pl Testing ip_tables/iptable_filter...OK Testing ipt_LOG...OK Testing ipt_multiport/xt_multiport...OK Testing ipt_REJECT...OK Testing ipt_state/xt_state...OK Testing ipt_limit/xt_limit...OK Testing ipt_recent...OK Testing xt_connlimit...OK Testing ipt_owner/xt_owner...OK Testing iptable_nat/ipt_REDIRECT...OK Testing iptable_nat/ipt_DNAT...OK RESULT: csf should function on this server
As I mentioned, this is the default iptables installation on a minimal CentOS 6.0 image, so chances are good that these modules are already installed on your system. It never hurts to check, though.
The CSF Configuration File
The primary CSF configuration is stored in the well-documented
/etc/csf/csf.conf file. CSF is extremely configurable, so there are a lot of options to read over. Let’s take a look over some of the more important features:
TESTING = "1" TESTING_INTERVAL = "5"
This TESTING cron job runs every “5″ minutes so you don’t lock yourself out when you’re testing your rules. When you are satisfied with your rules (and confident that you won’t lock yourself out), you can set TESTING to “0″.
Globally Allowed Ports
# Allow incoming TCP ports TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995" # Allow outgoing TCP ports TCP_OUT = "20,21,22,25,53,80,110,113,443" # Allow incoming UDP ports UDP_IN = "20,21,53" # Allow outgoing UDP ports # To allow outgoing traceroute add 33434:33523 to this list UDP_OUT = "20,21,53,113,123"
Incoming Ping Requests
# Allow incoming PING ICMP_IN = "1"
Allowing ping is usually a good option for diagnostic purposes, so I don’t recommend turning it off. Disallowing ping is an example of “security through obscurity,” and it will not typically dissuade your attackers.
ETH_DEVICE = "" ETH6_DEVICE = ""
Here, you can configure iptables to ONLY use one Ethernet adapter. You might want to only guard your public network adapter in some situations.
IP Limit in Permanent “Deny” File
DENY_IP_LIMIT = "200"
A higher number here will obviously screen out more IP addresses in
csf.deny, but higher numbers also may cause slowdowns.
IP Limit in Temporary “Deny” File
DENY_TEMP_IP_LIMIT = "100"
Similar to DENY_IP_LIMIT, the DENY_TEMP_IP_LIMIT represents the maximum number of IPs that can be stored in the temporary ban list.
SMTP_BLOCK = "0"
When set to “1″, SMTP_BLOCK does not completely block outbound SMTP, but it does block it for most users. This will prevent malicious scripts and compromised users from making outbound connections from unauthorized mail clients on the server. SMTP_BLOCK doesn’t stop those scripts from running, but it does stop them from functioning. Mail sent through the proper channels will still be delivered normally.
Allowing SMTP on localhost
SMTP_ALLOWLOCAL = "1"
Custom Mail Port Designation
SMTP_PORTS = "25,465,587"
Allowing SMTP Access to Users/Groups
SMTP_ALLOWUSER = "" SMTP_ALLOWGROUP = "mail,mailman"
SYN Flood Protection
SYNFLOOD = "0" SYNFLOOD_RATE = "100/s" SYNFLOOD_BURST = "150"
Per the documentation, you should only enable SYN flood protection (SYNFLOOD= “1″) if you are currently under a SYN flood attack.
Concurrent Connections Limit
CONNLIMIT = "22;5,80;20" PORTFLOOD = "22;tcp;5;300,80;tcp;20;5
These options allow you to add customized DoS protection. CONNLIMIT handles the number of concurrent connections, and in this example, we’re limiting port 22 to 5 connections and port 80 to 20 connections.
PORTFLOOD on deals with connections per second. In this example, we’re limiting the TCP connection on port 22 to 5 connections/second with a quiet period of 300 seconds before the connection is unblocked. Additonally, we’re limiting the TCP connection on port 80 to 20 connections/second with a quiet period of 5 seconds before the connection is unblocked.
readme.txt file for more information about the syntax.
Logging to Syslog
SYSLOG = "0"
When enabled, this option logs lfd (Login Failure Daemon) messages to syslog as well as to
Dropping v. Rejecting Packets
DROP = "DROP"
This configuration allows you to either DROP or REJECT packets. REJECT tells the sender that the packet has been blocked by the firewall. DROP just drops the packet and does not send a response. I like DROP better for regular use, but REJECT might be more helpful if you need to diagnose a connectivity issue.
Logging Dropped Connections
DROP_LOGGING = "1"
This option logs dropped connections to syslog. I don’t see any reason to turn this off unless your hard drive is getting full.
Port Exceptions When Logging Dropped Connections
DROP_NOLOG = "67,68,111,113,135:139,445,500,513,520"
These ports are specifically blocked from being logged either to conserve hard drive space or make the log file easier to read.
WATCH_MODE = "0"
If you are ever stuck trying to troubleshoot a large ruleset, you might consider turning this option on. You can use it to track the actions to watched IP addresses to see where they are getting blocked or accepted.
Login Failure Daemon Alert
LF_ALERT_TO = "" LF_ALERT_FROM = "" LF_ALERT_SMTP = ""
You can specify an email address to report errors from the Login Failure Daemon, which tracks and automatically blocks brute force login attempts.
Permanent Blocks and NetBlocks
LF_PERMBLOCK = "1" LF_PERMBLOCK_INTERVAL = "86400" LF_PERMBLOCK_COUNT = "4" LF_PERMBLOCK_ALERT = "1" LF_NETBLOCK = "0" LF_NETBLOCK_INTERVAL = "86400" LF_NETBLOCK_COUNT = "4" LF_NETBLOCK_CLASS = "C" LF_NETBLOCK_ALERT = "1"
These settings control the permanent block and netblock blocking. You probably don’t need to touch these settings, but you might want some additional security or less security depending on your company needs. If something gets permablocked, it will require your intervention to clear it, which might create downtime for your clients. Likewise, if a legitimate IP address happens to be part of a netblock which has an attacking IP address on it, it will get blocked if you have that feature turned on. A class C network encompasses 256 IP addresses. You can set this to class B or A, but that could block thousands or millions of IP addresses, respectively. Unless you find yourself under constant attack, I would advise you to leave that LF_NETBLOCK off.
Additional Protection During Updates
# Safe Chain Update. If enabled, all dynamic update chains (GALLOW*, GDENY*, # SPAMHAUS, DSHIELD, BOGON, CC_ALLOW, CC_DENY, ALLOWDYN*) will create a new # chain when updating, and insert it into the relevant LOCALINPUT/LOCALOUTPUT # chain, then flush and delete the old dynamic chain and rename the new chain. # # This prevents a small window of opportunity opening when an update occurs and # the dynamic chain is flushed for the new rules. SAFECHAINUPDATE = "0"
Activating this option will increase your system resource usage and will require more rules to be running at one time, but it provides an additional layer of protection during updates. Without this option turned on, your rules will be flushed for a short amount of time, leaving your server vulnerable.
Multi-Server Deployment Options
LF_GLOBAL = "0" GLOBAL_ALLOW = "" GLOBAL_DENY = "" GLOBAL_IGNORE = ""
Like APF, you can configure global lists for multiple server deployments. You’ll need to specify a URL of the text file with the IP addresses for the global lists.
LF_SPAMHAUS = "0"
This option enables the SPAMHAUS blocklist. Specify the number of seconds between refreshes. Recommended setting is 86400 (1 day).
Blocking TOR Exit IP Addresses
LF_TOR = "0"
Enabling this option will block TOR exit IP addresses. If you are not familiar with TOR, it is a completely anonymous proxy network. This could block some legitimate users who are trying to protect their anonymity, so I would recommend only turning this on if you are already under attack from a TOR exit address.
Blocking Bogon Addresses
LF_BOGON = "0" LF_BOGON_URL = "http://www.cymru.com/Documents/bogon-bn-agg.txt" LF_BOGON_SKIP = ""
Blocking bogon addresses (addresses that should not be possible) is usually a good decision. To enable, set the number of seconds between refreshes. I recommend enabling this option and setting the refresh at 86400 (1 day). If you do so, be sure to add your private network adapters to the skip list.
Country-Specific Access to Your Server
CC_DENY = "" CC_ALLOW = ""
With these options, you can block or allow entire countries from accessing your server. To do so, enter the country codes in a comma separated list. Even though this generates a lot of additional rules, it’s valuable to some sysadmins.
CC_ALLOW_FILTER = ""
Alternatively, you can set your server to exclusively accept traffic from a list of country codes. All other countries not listed will have their traffic dropped. There are many other settings related to these options that I don’t have time to cover in this blog.
Blocking Login Failures
LF_TRIGGER = "0"
This enables blocking of login failures (per service). There are a lot of great customization options in this section.
Scanning Directories for Malicious Files
LF_DIRWATCH = "300"
This feature scans
/dev/shm for potentially malicious files and alerts you to their presence based on the interval you designate. You can also have CSF automatically quarantine malicious files with this option:
LF_DIRWATCH_DISABLE = "0"
Distributed Attack Protection
LF_DISTATTACK = "0"
By enabling this option, you activate additional protection against distributed attacks.
Blocking Based on Abusive Email Usage
LT_POP3D = "0" LT_IMAPD = "0"
If a user checks email too many times per hour (more than the non-zero value specified), the user’s IP address is blocked.
Email Alert Following Block
LT_EMAIL_ALERT = "1"
This will send you email when something is blocked. I’d recommend leaving it on.
Blocking IP Addresses Based on Number of Connections
CT_LIMIT = "0"
This feature tracks connections and blocks the IP if the number of connections is too high. Use caution because if you enable this option and set this value too low, it will block legitimate traffic.
PT_LIMIT = "60"
This feature provides application level protection against malicious scripts that take a long time to execute.
Blocking Port Scanners
PS_INTERVAL = "300" PS_LIMIT = "10"
Enabling HTML User Interface for CSF
UI = "0"
CSF has a built-in HTML user interface. You can enable this by setting UI = “1″. There are a list of prerequisites for this option in the
Notifying Blocked IP Addresses
MESSENGER = "0"
This option will notify blocked IP addresses when they have been blocked by the firewall.
PORTKNOCKING = ""
CSF supports port knocking, which is a technique that provides an additional layer of security. See http://www.portknocking.org/ for details.
Allow and Deny Lists
As we walked through the CSF configuration file, you saw that I referenced the
csf.deny file, so it should come as no surprise that CSF also includes
csf.allow to customize “allow” rules as well. If you are familiar with APF, these files have a very similar syntax … Each entry is made up of the same four components:
protocol|flow|port|IP. The only real difference being that APF uses the colon as a delimiter while CSF uses the pipe:
#APF Version tcp:in:d=48000_48020:s=10.0.0.0/8 #CSF Version tcp|in|d=48000_48020|s=10.0.0.0/8
Fortunately, replacing your colon with a pipe is a minimally invasive procedure that can be automated with a tool like vi.
CSF Command Line Tool
The command line tool for CSF is much more robust than the one for APF:
$ csf --help csf: v5.79 (cPanel) ConfigServer Security & Firewall (c)2006-2013, Way to the Web Limited (http://www.configserver.com) Usage: /usr/sbin/csf [option] [value] Option Meaning -h, --help Show this message -l, --status List/Show iptables configuration -l6, --status6 List/Show ip6tables configuration -s, --start Start firewall rules -f, --stop Flush/Stop firewall rules (Note: lfd may restart csf) -r, --restart Restart firewall rules -q, --startq Quick restart (csf restarted by lfd) -sf, --startf Force CLI restart regardless of LF_QUICKSTART setting -a, --add ip Allow an IP and add to /etc/csf.allow -ar, --addrm ip Remove an IP from /etc/csf.allow and delete rule -d, --deny ip Deny an IP and add to /etc/csf.deny -dr, --denyrm ip Unblock an IP and remove from /etc/csf.deny -df, --denyf Remove and unblock all entries in /etc/csf.deny -g, --grep ip Search the iptables rules for an IP match (incl. CIDR) -t, --temp Displays the current list of temp IP entries and their TTL -tr, --temprm ip Remove an IPs from the temp IP ban and allow list -td, --tempdeny ip ttl [-p port] [-d direction] Add an IP to the temp IP ban list. ttl is how long to blocks for (default:seconds, can use one suffix of h/m/d). Optional port. Optional direction of block can be one of: in, out or inout (default:in) -ta, --tempallow ip ttl [-p port] [-d direction] Add an IP to the temp IP allow list (default:inout) -tf, --tempf Flush all IPs from the temp IP entries -cp, --cping PING all members in an lfd Cluster -cd, --cdeny ip Deny an IP in a Cluster and add to /etc/csf.deny -ca, --callow ip Allow an IP in a Cluster and add to /etc/csf.allow -cr, --crm ip Unblock an IP in a Cluster and remove from /etc/csf.deny -cc, --cconfig [name] [value] Change configuration option [name] to [value] in a Cluster -cf, --cfile [file] Send [file] in a Cluster to /etc/csf/ -crs, --crestart Cluster restart csf and lfd -w, --watch ip Log SYN packets for an IP across iptables chains -m, --mail [addr] Display Server Check in HTML or email to [addr] if present -lr, --logrun Initiate Log Scanner report via lfd -c, --check Check for updates to csf but do not upgrade -u, --update Check for updates to csf and upgrade if available -uf Force an update of csf -x, --disable Disable csf and lfd -e, --enable Enable csf and lfd if previously disabled -v, --version Show csf version
The command line tool will also tell you if the testing mode is enabled (which is a very useful feature). If TESTING were enabled, we’d see this line at the bottom of the output:
*WARNING* TESTING mode is enabled - do not forget to disable it in the configuration
Did you make it all the way through?! Great! I know it’s a lot to take in, but it’s not terribly complicated when we break it down and understand how each piece works. Next time, I’ll be back with some tips on integrating CSF into cPanel.