csf is a firewall based on iptables that is very easy to configure and use. Together with it comes the Login Failure Daemon (lfd) that, other than logging failed log in attempts on various services, it blocks the IPs that have several failed logins in a short period of time. This protects against Brute Force attacks. lfd also reports on usage of resources in the server eg RAM, CPU and number of processes. The full list of services that lfd monitors for failed login attempts is:
• Courier imap, Dovecot, uw-imap, Kerio
• openSSH
• cPanel, WHM, Webmail (cPanel servers only)
• Pure-ftpd, vsftpd, Proftpd
• Password protected web pages (htpasswd)
• Mod_security failures (v1 and v2)
• Suhosin failures
• Exim SMTP AUTH
• Custom login failures with separate log file and regular expression matching
Installation
As earlier stated, installation is quite easy. Run the following commands in order to install csf and lfd. Note that, no other iptables configuration script should be running. Uninstall any other script so csf can install and work properly.
• cd /usr/src
• rm -fv csf.tgz
• wget https://download.configserver.com/csf.tgz
• tar -xzf csf.tgz
• cd csf
• sh install.sh
You then need to test whether all required iptables modules are there. Use the command below. It should not bring any Fatal Errors:
• perl /usr/local/csf/bin/csftest.pl
Note: For lfd to work, csf must not be in Testing mode. To disable Testing mode, open /etc/csf/csf.conf and look for the line TESTING = “1”. Replace 1 with 0. Then restart csf and lfd.
Uninstallation
It’s even easier to uninstall csf. Run:
• cd /etc/csf
• sh uninstall.sh
csf is a powerful and flexible firewall solution. It is bundled with several popular web hosting control panels including cPanel, Centos Web Panel and Webmin
ssh commands for csf
It is sometimes convenient to use SSH to accomplish tasks via command line instead of loading GUI interfaces. csf provides commands to use in it’s management. Equivalent actions can be completed using GUI in webhosting panels like cpanel or cwp. Here is a cheatshee of the commandst:
Command | Description | Usage |
csf -s | Start firewall rules | # csf -s |
csf -f | Stop firewall rules | # csf -f |
csf -r | Restart firewall rules | # csf -r |
csf -a ip | Allow an Ip address. Add it to /etc/csf/csf.allow | # csf -a 10.10.10.10
# csf -a 10.10.10.10 My ip address |
csf -d ip | Deny an Ip address. Add it to /etc/csf/csf.deny | # csf -d 10.10.10.10
# csf -d 10.10.10.10 An attacker |
csf -g ip | Search iptables/ip6tables for a match in IP, Port or CIDR | # csf -g 10.10.10.10 |
csf -t | Displays the current list of temporary allow and deny IP entries with their TTL and comment | # csf -t |
csf -tr ip | Remove an IP from the temporary IP ban or allow list. | # csf -tr 10.10.10.10 |
csf -tf | Flush all IPs from the temporary IP entries | # csf -tf |
csf -dr ip | Unblock an IP and remove from /etc/csf/csf.deny | # csf -dr 10.10.10.10 |
csf -df | Remove and unblock all entries in /etc/csf/csf.deny | # csf -df |
Note: You need root privileges to run these commands
Whitelist
To prevent an IP from being blocked by csf, you need to add it to whitelist. This is essentially, just adding it to /etc/csf/csf.allow and /etc/csf/csf.ignore lists. When an IP is in whitelist, it will no longer be checked by lfd
Your first step will be to enable IGNORE_ALLOW in /etc/csf/csf.conf. By default, it’s value is “0”, change that to “1” the restart csf and lfd
In conclusion, here are some useful links to csf and lfd:
1. More details about csf and lfd can be found here
2. More details on installation of csf and lfd can be found here