Firewalls Help filter access ports and prevent logon attempts to use brute force laws. I tend to use the powerful firewall of CSF (Config Server Firewall). It uses iptables, is easy to manage, and provides a web interface for users who are not good at entering commands.
To install CSF, log on to the server first and switch to this directory:
The code is as follows:
cd/usr/local/src/
Then execute the following command with root permissions:
The code is as follows:
wget https://download.configserver.com/csf.tgz
Tar-xzf csf.tgz
CD CSF
SH install.sh
Just wait for setup to complete, and then edit the CSF configuration file:
The code is as follows:
/etc/csf/csf.conf
By default, CSF runs in test mode. Switch to product mode by setting the value of "testing" to 0.
The code is as follows:
testing = "0"
The following settings are the ports allowed on the server. In csf.conf, navigate to the following section and modify the port as needed:
The code is as follows:
# Inbound TCP ports are allowed
tcp_in = "20,21,25,53,80,110,143,443,465,587,993,995,16543"
# Allow outbound TCP ports
Tcp_out = "20,21,22,25,53,80,110,113,443,587,993,995,16543"
# Allow inbound UDP ports
udp_in = "20,21,53"
# Allow outbound UDP ports
# to allow the traceroute request to be issued, please add the 33,434:33,523 port range to the list
Udp_out = "20,21,53,113,123"
If you want to set it up as needed, it is recommended that you use only those ports that you need to avoid setting a wide range of ports. Also, avoid unsafe ports that use unsafe services. For example, only port 465 and 587来 are allowed to send e-mail, instead of the default SMTP port 25. (LCTT: If your mail server supports SMTPS)
Important: Never forget to allow custom SSH ports.
It is important to allow your IP address to pass through the firewall and not be blocked. The IP address is defined in the following file:
The code is as follows:
/etc/csf/csf.ignore
The blocked IP address appears in this file:
The code is as follows:
/etc/csf/csf.deny
Once the change is complete, use this command to reboot the CSF:
The code is as follows:
SUDO/ETC/INIT.D/CSF restart
The following is part of the Csf.deny file on a server to illustrate that CSF is useful:
The code is as follows:
211.216.48.205 # Lfd: (sshd) Failed SSH login from 211.216.48.205 (Kr/korea, Republic of/-): 5 at the last 3600 Secs-fri Mar 6 00:30:35 2015
103.41.124.53 # Lfd: (sshd) Failed SSH login from 103.41.124.53 (Hk/hong kong/-): 5 at the last 3600 Secs-fri Mar 6 01:0 6:46 2015
103.41.124.42 # Lfd: (sshd) Failed SSH login from 103.41.124.42 (Hk/hong kong/-): 5 at the last 3600 Secs-fri Mar 6 01:5 9:04 2015
103.41.124.26 # Lfd: (sshd) Failed SSH login from 103.41.124.26 (Hk/hong kong/-): 5 at the last 3600 Secs-fri Mar 6 02:4 8:26 2015
109.169.74.58 # Lfd: (sshd) Failed SSH login from 109.169.74.58 (gb/united kingdom/mail2.algeos.com): 5 at the last 3600 s ECS-FRI Mar 6 03:49:03 2015
You can see that the attempt to login through the violence of the IP address is blocked, it is not the eyes of the heart not annoying Ah!