How to install CSF (ConfigServer Security & Firewall) with DirectAdmin or WHM

Web Hosting Talk
1

https://duntuk.com/how-install-csf-configserver-security-firewall

How to install CSF (ConfigServer Security & Firewall) with DirectAdmin or WHM

Created on 2014-Feb-13

Updated on 2017-Jan-06

Block IPs with Brute Force Monitor in DirectAdmin using CSF

Source: https://help.poralix.com/articles/how-to-block-ips-with-csf-directadmin-bfm(link is external)

Regular install of CSF

cd /usr/local/src wget http://www.configserver.com/free/csf.tgz tar -xzf csf.tgz cd csf ./install.directadmin.sh

Now login as Admin into directadmin or WHM, and click the link ConfigServer Security & Firewall

You’ll probably want to add your WAN IP here–you can find out what it is here: http://www.ip-secrets.com/(link is external)

Then add your WAN IP into Quick Allow column.

Next click Firewall Configuration and set testing to 0, ti disable testing mode

Testing = 0

TCP_IN =20,21,22,25,53,80,110,143,443,465,587,993,995,2222,CUSTOMPORT

If you use git you’ll also want to add it to TCP_OUT :

TCP_OUT = 20,21,22,25,53,80,110,113,443,587,993,995,2222

Also if you are hosting a git repository on your server you’ll want to add it to TCP_IN :

TCP_IN = 20,21,22,25,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096,2222,9418

You can leave the rest as is. Scroll down to the bottom of the page, and click the Change button to save your changes.

Then after your firewall is up and running, you can click the Check Server Security button, to see what security vulnerabilities your server may have. NOTE: you don’t need to fix everything in red (there are some PHP functions that you may rely on) , but you should fix the easy ones like adding noexec,nosuid to your /etc/fstab.

As long as you’re in the upper yellow score (70+) you should be fine.

Set CSF to ignore certain long running processes

CSF has good default setting for ignoring long running processes, but there are still a few you may want to add.

Example, if you’re using dovecot managesieve-login you’ll get a ton of warnings like:

lfd on server.somesserver.com: Suspicious process running under user dovecot

To avoid that, we have to edit /etc/csf/ csf.pignore

vi /etc/csf/csf.pignore

Make sure it looks something like this. I’ve added exe:/usr/libexec/dovecot/managesieve-login and exe:/usr/bin/memcached

exe:/usr/sbin/sshd exe:/usr/sbin/proftpd exe:/usr/libexec/gam_server exe:/usr/sbin/named exe:/usr/sbin/exim exe:/usr/sbin/mysqld exe:/usr/sbin/mysqld_safe exe:/usr/libexec/hald-addon-acpi exe:/usr/sbin/hald exe:/bin/dbus-daemon exe:/usr/bin/dbus-daemon-1 exe:/usr/libexec/hald-addon-keyboard exe:/usr/libexec/dovecot/pop3-login exe:/usr/libexec/dovecot/imap-login exe:/usr/local/directadmin/directadmin exe:/usr/local/directadmin/dataskq exe:/usr/sbin/httpd exe:/usr/bin/dbus-daemon exe:/usr/local/mysql-5.1.54-linux-x86_64/bin/mysqld exe:/usr/libexec/dovecot/anvil exe:/usr/sbin/ntpd exe:/sbin/ntpd exe:/usr/libexec/dovecot/pop3 exe:/usr/libexec/dovecot/imap exe:/usr/local/libexec/dovecot/pop3 exe:/usr/local/libexec/dovecot/pop3-login exe:/usr/local/libexec/dovecot/imap exe:/usr/local/libexec/dovecot/imap-login exe:/usr/libexec/dovecot/managesieve-login exe:/usr/bin/memcached

Now restart CSF

csf -r

or

service csf restart

And… we’re done.