For my work I had to setup a DirectAdmin server (which was a great pain to setup perfect) and I was bothered by enormous amounts of brute force attempts, mostly on Exim ports. First thing on the agenda was of course look for a way to block these fuckers and in comes the CSF /LFD Firewall and Security.
I went experimenting on non-DirectAdmin servers with CSF / LFD and was pleased. After some debating and testing I decided to drop firewalld6 and go with CSF / LFD. This guide is to get it running on a Debian 9 server without DirectAdmin (but will make a post in week or two for that one specifically).
Installing our new firewall
Here we go.
# cd /tmp/
# wget https://download.configserver.com/csf.tgz
# tar xzf csf.tgz
# cd csf/
Check if everything should be ready to run CSF / LFD:
If everything is OK you can install CSF / LFD.
Setting it up
Now configure your firewall. A good place to start are the man pages and this site. For a quick setup follow the steps below.
First make sure that management of the server is only possible from your WAN IP address.
# vi /etc/csf/csf.allow
220.127.116.11 # Your WAN IP
Then the configuration file is very big, it has a lot of commented text, but stripped down its still pretty huge. From top to bottom the changed lines:
TESTING = "0"
RESTRICT_SYSLOG = "3"
RESTRICT_SYSLOG_GROUP = "mysyslog"
RESTRICT_UI = "2"
AUTO_UPDATES = "0"
We’ll be making our own cron for automatic updates.
The below is important to understand. You will NOT put management ports (like 22 and 2222) in the allow sections. That is why we’ve allowed our WAN IP in the csf.allow file.
# Allow incoming TCP ports
TCP_IN = "80,443"
# Allow outgoing TCP ports
TCP_OUT = "25,80,443,587"
# Allow incoming UDP ports
UDP_IN = ""
# Allow outgoing UDP ports
UDP_OUT = "53,123"
Use the same settings for IPv6. Continuing:
SYSLOG_CHECK = "300"
LF_ALERT_TO = "email@example.com"
LF_ALERT_FROM = "firstname.lastname@example.org"
URLGET = "1"
LF_DIRWATCH = "0"
LF_DIRWATCH_DISABLE = "0"
LF_DIRWATCH_FILE = "0"
LF_INTEGRITY = "0"
PT_LIMIT = "0"
PT_USERMEM = "0"
PT_USERTIME = "0"
UI = "0"
LOGSCANNER = "0"
That should do it. Restart services and test your settings.
# csf -r
# systemctl restart csf
# systemctl restart lfd
Create a cron for automatic updates in /etc/cron.d/csfupdate. Contents:
# Automatic updates for CSF / LFD security and firewall
30 5 * * * root /usr/sbin/csf -u