Month: February 2014

How to setup CSF firewall in linux

Ananda Raj PandeyLeave a comment

CSF Firewall setup:

CSF is very popular firewall. It comes with lots of prebuilt features and most of the case just doing simple installation
will protect server from many known issues. Please check http://configserver.com/cp/csf.html to see all the options and features
available.

Installation

rm -fv csf.tgz

wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

basic configuration:

port settings:
By default following ports are opened:

TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"
TCP_OUT = "20,21,22,25,53,80,110,113,443"
UDP_IN = "20,21,53"
UDP_OUT = "20,21,53,113,123"
We can remove any port or add any port as per our requirement.
 some important ports to be considered :
 10000 // webmin default port
 2087,2083,2086 // cpanel ports
 26 // some server use 26 as outgoing mail server to by pass ISP limitation.

So based on your requirement, please add necessary ports.

to edit the ports open any editor like vim:
 vi /etc/csf/csf.conf

and dont forget to restart

service csf restart
 Blocking predefined IPs:
 vi /etc/csf/csf.deny
1.2.3.4
 198.168.0.0/16
 Allowing predefined IPS:
vi /etc/csf/csf.allow

edit above file as per requirement to deny or allow predefined ips.

Ips can be single ip per line or range per line as above.

Once all the settings are done, we can set testing mode to live mode by
 setting

 TESTING = 0
 and restarting the csf by
 service csf restart

Basic commands:
Csf comes with lots of command line command, simply typing csf on command line will show all the available
commands but some frequently used commands are:

csf -d <ip adress to block>
 csf -a <ip address to allow / unblock>
 csf -r <reload rules>

Preventing DDOS aplification open resolver attack

Ananda Raj Pandey3 Comments

DDOS Attack  by open DNS resolver:

Open dns resolver provides name resolution to any network outside your network. This means any one can use your
server to resolve the host name and also use it to attack other server by spoofing as your server. This in return
consume your server bandwidth and also cpu + memory resources making your server slow or even result to crash.
(settings suggested below is for BIND server)

Disable open recursive requests:

If we dont need open recursive on our system then we can completly disable it by following method.

vi /etc/named.conf
recursion no; // turn off recursion
allow-transfer {none;};
allow-query-cache {none;};

after modifing the named.conf file DNS server must be restarted.

service named restart

If we need to enable dns recursion then we can specify the ips, so that only these ips can do recursions.

acl ourips {
192.168.0.0/24; // change ip as required
localhost;
};
options {
allow-recursion {ourips;};
allow-query-cache{ourips;};
allow-query{any;}; // for web servers
recursion yes;
...
}

after midifing the named.conf restart the bind server

service named restart

To check whether recursion is turn off run the following command:

host google.com <your name server>
and result will be 
Host google.com not found

If you are getting too much request to your named server, you will get big log file with entry of dined request. This
will slow down the server, so to disable failed request to be written to the log
add “category security {null;}; to named file.

vi /etc/named.conf
logging {
category security {null;};
channel default_debug {
......
};