In our last “iptables Tips and Tricks” installment, we talked about Advanced Policy Firewall (APF) configuration, so it should come as no surprise that in this installment, we’re turning our attention to ConfigServer Security & Firewall (CSF). Before we get started, you should probably run through the list of warnings I include at the top of the APF blog post and make sure you have your Band-Aid ready in case you need it.
To get the ball rolling, we need to download CSF and install it on our server. In this post, we’re working with a CentOS 6.0 32-bit server, so our (root) terminal commands would look like this to download and install CSF:
$ wget http://www.configserver.com/free/csf.tgz #Download CSF using wget. $ tar zxvf csf.tgz #Unpack it. $ yum install perl-libwww-perl #Make sure perl modules are installed ... $ yum install perl-Time-HiRes #Otherwise it will generate an error. $ cd csf $ ./install.sh #Install CSF. #MAKE SURE YOU HAVE YOUR BAND-AID READY $ /etc/init.d/csf start #Start CSF. (Note: You can also use '$ service csf start')
Once you start CSF, you can see a list of the default rules that load at startup. CSF defaults to a DROP policy:
$ iptables -nL | grep policy Chain INPUT (policy DROP) Chain FORWARD (policy DROP) Chain OUTPUT (policy DROP)
Don’t ever run “
iptables -F” unless you want to lock yourself out. In fact, you might want to add “This server is running CSF – do not run ‘iptables -F’” to your
/etc/motd, just as a reminder/warning to others.
CSF loads on startup by default. This means that if you get locked out, a simple reboot probably won’t fix the problem. Runlevels 2, 3, 4, and 5 are all on:
$ chkconfig --list | grep csf csf 0:off 1:off 2:on 3:on 4:on 5:on 6:off
Some features of CSF will not work unless you have certain iptables modules installed. I believe they are installed by default in CentOS, but if you custom-built your iptables, they might not all be installed. Run this script to see if all modules are installed:
$ /etc/csf/csftest.pl Testing ip_tables/iptable_filter...OK Testing ipt_LOG...OK Testing ipt_multiport/xt_multiport...OK Testing ipt_REJECT...OK Testing ipt_state/xt_state...OK Testing ipt_limit/xt_limit...OK Testing ipt_recent...OK Testing xt_connlimit...OK Testing ipt_owner/xt_owner...OK Testing iptable_nat/ipt_REDIRECT...OK Testing iptable_nat/ipt_DNAT...OK RESULT: csf should function on this server
As I mentioned, this is the default iptables installation on a minimal CentOS 6.0 image, so chances are good that these modules are already installed on your system. It never hurts to check, though.
The CSF Configuration File
The primary CSF configuration is stored in the well-documented
/etc/csf/csf.conf file. CSF is extremely configurable, so there are a lot of options to read over. Let’s take a look over some of the more important features: