Server Security-install and configure the csf Firewall

The server is often guessed. When you open the ssh log secure, all of them attempt to log on. It's speechless. Alas, aren't you able to share points with hackers? Well, although it is feasible to use shell scripts to regularly check log files and count the number of accesses in a period of time. If the threshold is exceeded, the IP address is blocked. But, but, okay, I admit that I'm lazy, actually, the hardware firewall is king, everyone knows .....

Let's talk about the csf firewall.
1. Prevents brute force password cracking and automatically blocks IP addresses that failed continuous Login
2. Manage Network Ports and only open necessary ports
3. Protect Against small-traffic DDos and CC attacks.
The csf firewall provides a web GUI-based management method and a cPanel plug-in. It can also be managed based on CLI. In fact, to be honest, I don't even know what the vps Management Panel is, let alone I 've seen it. My friend's vps usually maintains everything over ssh. I have never used panel or anything.
The installation of csf:
1. Install the dependency package:
Yum install perl-libwww-perl iptables

Ii. download and install the CSF:
Wget http://www.configserver.com/free/csf.tgz
Tar-xzf csf. tgz
Cd csf
Sh install. sh

Iii. test whether the CSF works properly:
[Root @ localhost csf] # perl/etc/csf/csftest. pl
Testing ip_tables/iptable_filter... OK
Testing ipt_LOG... OK
Testing ipt_multiport/xt_multiport... OK
Testing ipt_REJECT... OK
Testing ipt_state/xt_state... OK
Testing ipt_limit/xt_limit... OK
Testing ipt_recent... OK
Testing xt_connlimit... OK
Testing ipt_owner/xt_owner... OK
Testing iptable_nat/ipt_REDIRECT... OK
Testing iptable_nat/ipt_DNAT... OK
RESULT: csf shocould function on this server

Configuration of csf:
The configuration file of the CSF is/etc/csf. conf.
# Allow incoming TCP ports
# We recommend that you change the default SSH port (22) to another port, but be sure to add the new port to the next line.
TCP_IN = "20, 21, 47,81, 1723,25, 53,80, 110,143,443,465,587,993,995 bytes 〃
# Allow outgoing TCP ports are the same as above. Add the SSH logon port to the next line.
# When some programs require a certain range of ports to be opened, such as the passive mode of Pureftpd, ports in the range of 30000-35000 can be opened in a way similar to 35000.
TCP_OUT = "20, 21, 47,81, 1723,25, 53,80, 110,113,443 bytes 〃
# Allow incoming UDP ports
UDP_IN = "20, 21, 53 bytes 〃
# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434: 33523 to this list
UDP_OUT = "20, 21, 53,113,123 bytes 〃
# Allow incoming PING: whether to Allow others to ping your server. The default value is 1. 0 is not allowed.
ICMP_IN = "1 hour 〃

You can understand the above configurations at a Glance. Next we will introduce several common ones:
Immune to some types of small-scale DDos attacks:
# Connection Tracking. This option enables tracking of all connections from IP
# Addresses to the server. If the total number of connections is greater
# This value then the offending IP address is blocked. This can be used to help
# Prevent some types of DOS attack.
#
# Care shoshould be taken with this option. It's entirely possible that you will
# See false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD
# And HTTP so it cocould be quite easy to trigger, especially with a lot
# Closed connections in TIME_WAIT. However, for a server that is prone to DOS
# Attacks this may be very useful. A reasonable setting for this option might
# Be arround 200.
#
# To disable this feature, set this to 0
CT_LIMIT = "200" # Number of requests from the same IP address within a fixed period of time
# Connection Tracking interval. Set this to the number of seconds
# Connection tracking scans
CT_INTERVAL = "30" # indicates the above fixed time, in seconds
# Send an email alert if an IP address is blocked due to connection tracking
CT_EMAIL_ALERT = "1" # whether to send emails
# If you want to make IP blocks permanent then set this to 1, otherwise blocks
# Will be temporary and will be cleared after CT_BLOCK_TIME seconds
# Whether to permanently block suspicious IP addresses. The default value is 0, that is, temporary blocking.
CT_PERMANENT = "0"
# If you opt for temporary IP blocks for CT, then the following is the interval
# In seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)
# Temporary shielding time: www.2cto.com
CT_BLOCK_TIME = "1800"
# If you don't want to count the TIME_WAIT state against the connection count
# Then set the following to "1 rows 〃
CT_SKIP_TIME_WAIT = "0" # Check whether the TIME_WAIT link status is counted
# If you only want to count specific states (e.g. SYN_RECV) then add the states
# To the following as a comma separated list. E. g. "SYN_RECV, TIME_WAIT"
# Leave this option empty to count all states against CT_LIMIT
CT_STATES = "" # indicates whether the country name is used for statistics.
# If you only want to count specific ports (e.g. 80,443) then add the ports
# To the following as a comma separated list. E. g. "80,443 seconds 〃
#
# Leave this option empty to count all ports against CT_LIMIT
# Port number. If it is empty, all ports are checked. If it is ssh, all ports are counted.
CT_PORTS = ""

After the above settings are completed, you can test it first. If there is no problem, change it to the official mode, just the test mode.
# Change the default value of 1 to 0.
TESTING = "0"

There are two files under/etc/csf /.
Csf. allow and csf. deny
The allowed IP addresses and prohibited IP addresses are saved here. You can manually edit these two files. For example, if you want to prohibit someone from accessing this site, add the IP address to the csf. in the deny list, or to prevent false blocking. You can add your IP address to the csf. allow list. After joining, remember to restart the csf firewall.
Either/etc/init. d/csf restart or csf-r can be restarted.