ConfigServer Security & Firewall (csf)
Step 2: Additional settings
CSF offers a vast number of different options in its configuration files. Some of the most commonly used settings are explained below.
ICMP_IN Setting ICMP_IN to 1 allows ping to your server and 0 refuses are such requests. If you are hosting any public services, it is recommended to allow ICMP requests, as these can be used to determine whether or not your service is available.
ICMP_IN_LIMIT Sets the number of ICMP (ping) requests allowed from one IP address within a specified amount of time. There is usually no need to change the default value (1/s)
DENY_IP_LIMIT Sets the number of blocked IP addresses CSF keeps track of. It is recommended to limit the number of denied IP addresses as having too many blocks may slow down the server performance.
DENY_TEMP_IP_LIMIT Same as above, but for temporary IP address blocks.
PACKET_FILTER Filter invalid, unwanted and illegal packets.
SYNFLOOD, SUNFLOOD_RATE and SYNFLOOD_BURST This offers protection against SYN flood attacks. This slows down the initialization of every connection, so you should enable this only if you know that your server is under attack.
CONNLIMIT Limits the number of concurrent active connections on port.
Value:
22;5;443;20
would allow 5 concurrent connections on port 22 and 20 concurrent connections on port 443.
PORTFLOOD Limits the number of connections per time interval that new connections can be made to specific ports.
Value:
22;tcp;5;250
would limit block the IP address if more than 5 connections are established on port 22 using TCP protocol within 250 seconds. The block is removed once 250 seconds have passed after the last packet sent by the client to this port. You may add more ports by separating them by commas like described below.
port1;protocol1;connection_count1;time1,port2;protocol2;connection_count2;time2
More settings
CSF offers a wide range of settings which are not covered in this tutorial. The default values are generally good, and can be used on almost any server. The default settings are configured to prevent most flood attacks, port scans and unauthorized access attempts.
If you would, however, like to adjust the configuration in more detail, please read the comments in /etc/csf/csf.conf and edit them as you like.
Step 3: Applying the Changes
Whenever you are altering the settings in csf.conf, you should save the files and restart CSF in order for the changes to take effect.
Once you are ready with the configuration, close the file by pressing Ctrl + X. When you are asked whether to save the changes or not, press Y to save the changes.
After this, you should apply the changes by restarting CSF with command:
csf -r
If everything went like planned, and you are still able to access the server, open the configuration file once more:
nano /etc/csf/csf.conf
and change setting TESTING at the beginning of the configuration file to 0 as shown below:
TESTING = "0"
Save the file, and apply the changes with command:
csf -r
Blocking and Allowing IP Addresses
One of the most basic features of a firewall is the ability to block certain IP addresses. You may deny (blacklist), allow (whitelist) or ignore IP addresses by editing the configuration files csf.deny, csf.allow and csf.ignore.
Blocking IP addresses
If you would like to block an IP address or range, open csf.deny.
nano /etc/csf/csf.deny
Blocked IP addresses or ranges all reserve one line in csf.deny file. If you would like to block IP address 1.2.3.4 as well as IP range 2.3.*.*, you should add the following lines to the file:
1.2.3.4 2.3.0.0/16
IP ranges are represented using the CIDR notation
Allowing IP addresses
If you would like an IP address or range to be excluded from all blocks and filters, you may add them to csf.allow file. Please note that allowed IP addresses are allowed even if they are explicitly blocked in csf.deny file.
Allowing IP addresses works similarly to blocking them. The only difference is that you should edit /etc/csf/csf.allow instead of csf.deny.
nano /etc/csf/csf.allow
Ignoring IP addresses
CSF also offers ability to exclude IP addresses from the firewall filters. IP addresses in csf.ignore will bypass the firewall filters, and can only be blocked if listed in csf.deny file.
nano /etc/csf/csf.ignore
In order to changes take effect, you should restart CSF after editing any of the files described above with command:
csf -r