在Ubuntu上安装CSF
是默认的CSF软件包在Ubuntu存储库中不可用。
要安装,我们必须下载它并运行其安装脚本。
sudo apt update wget http://download.configserver.com/csf.tgz
下载后,运行以下命令以提取下载的文件并安装。
tar -xvzf csf.tgz cd csf sudo bash install.sh
要验证CSF是否已安装和运行,请运行以下命令:
sudo perl /usr/local/csf/bin/csftest.pl
这将输出类似如下的信息:
Testing ip_tables/iptable_filter. OK Testing ipt_LOG. OK Testing ipt_multiport/xt_multiport. OK Testing ipt_REJECT. OK Testing ipt_state/xt_state. OK Testing ipt_limit/xt_limit. OK Testing ipt_recent. OK Testing xt_connlimit. OK Testing ipt_owner/xt_owner. OK Testing iptable_nat/ipt_REDIRECT. OK Testing iptable_nat/ipt_DNAT. OK RESULT: csf should function on this server
CSF附带多个配置文件,所有这些文件都存储在/etc/cfs目录中。
以下文件是CSF的主要配置文件及其详细信息:
- /etc/csf/csf.conf:主要配置文件。
- /etc/csf/csf.allow:防火墙上允许的IP和CIDR地址列表。
- /etc/csf/csf.deny:防火墙上被拒绝的IP和CIDR地址列表。
- /etc/csf/csf.ignore:防火墙上忽略的IP和CIDR地址列表。
访问Web界面
CSF Web是基于Perl的Web界面。
这允许我们轻松地从任何Web浏览器管理CSF。
运行以下命令安装:
sudo apt-get install libio-socket-ssl-perl libcrypt-ssleay-perl libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl
安装后,打开CSF配置文件并编辑Web UI登录,密码和端口。
sudo nano /etc/csf/csf.conf
然后修改下面内容
This options restricts the ability to modify settings within this file from the csf UI. Should the parent control panel be compromised, these restricted options could be used to further compromise the server. For this reason we recommend leaving this option set to at least "1" and if any of the restricted items need to be changed, they are done so from the root shell # 0 = Unrestricted UI 1 = Restricted UI 2 = Disabled UI RESTRICT_UI = "1" # # 1 to enable, 0 to disable UI = "1" # Set this to the port that want to bind this service to. You should configure # this port to be >1023 and different from any other port already being used # # Do NOT enable access to this port in TCP_IN, instead only allow trusted IP's # to the port using Advanced Allow Filters (see readme.txt) UI_PORT = "8080" # Optionally set the IP address to bind to. Normally this should be left blank # to bind to all IP addresses on the server. # # If the server is configured for IPv6 but the IP to bind to is IPv4, then the # IP address MUST use the IPv6 representation. For example 1.2.3.4 must use # ::ffff:1.2.3.4 # # Leave blank to bind to all IP addresses on the server UI_IP = "" # This should be a secure, hard to guess username # # This must be changed from the default UI_USER = "admin" # This should be a secure, hard to guess password. That is, at least 8 # characters long with a mixture of upper and lowercase characters plus # numbers and non-alphanumeric characters # # This must be changed from the default UI_PASS = "strong_password_here" # This is the login session timeout. If there is no activity for a logged in # session within this number of seconds, the session will timeout and a new
保存文件并退出。
接下来,添加允许通过Web界面登录的IP。
sudo nano /etc/csf/ui/ui.allow
重启服务
sudo service lfd restart
打开登录页面并使用之前配置的帐户登录:
http://127.0.0.1:8080
配置CSF.
在生产上安装CSF后的第一件事是禁用其测试模式。
默认情况下,CSF已启用测试模式。
打开其主要配置文件并编辑:
sudo nano /etc/csf/csf.conf
将其值更改为0。
我们可以限制和监控SSH,FTP和SMTP等服务。
# # lfd will not start while this is enabled TESTING = "0"
使用以下命令保存更改并重新加载CSF:
sudo csf -r sudo service lfd restart
要查看默认防火墙规则的列表,请运行以下命令:
sudo csf -l
加载表中的默认规则:
ptables filter table ===================== Chain INPUT (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 9072 21M LOCALINPUT all -- !lo * 0.0.0.0/0 0.0.0.0/0 2 3024 2709K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 3 8786 21M INVALID tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 4 0 0 ACCEPT icmp -- !lo * 0.0.0.0/0 0.0.0.0/0
要通过防火墙添加允许IP,只需运行以下命令:
sudo csf -a 192.168.1.1
要拒绝IP地址,请运行以下命令:
sudo csf -d 192.168.1.1
要删除阻止的IP,请运行以下命令:
sudo csf -dr 192.168.1.1
要从允许列表中删除IP,请运行以下命令:
sudo csf -ar 192.168.1.1
要刷新并重新启动CSF,请运行以下命令:
sudo csf -f sudo csf -r
要禁用CFS,请运行以下命令:
sudo csf -x
要启用,请运行以下命令:
sudo cfs -e
CSF是一个免费的、开源的有状态数据包检查(SPI)防火墙软件,基于iptables,为Linux服务器提供高级别的安全性。它还提供登录和入侵检测,帮助保护Linux系统免受威胁和其他攻击。
如何在Ubuntu 20.04上安装ConfigServer Security&Firewall(CSF)
日期:2020-07-07 20:55:10 来源:oir作者:oir