Ways to set up firewalls for the Linux system's servers

Firewalls Help filter access ports and prevent logon attempts to use brute force laws. I tend to use the powerful firewall of CSF (Config Server Firewall). It uses iptables, is easy to manage, and provides a web interface for users who are not good at entering commands.

To install CSF, log on to the server first and switch to this directory:

The code is as follows:

cd/usr/local/src/

Then execute the following command with root permissions:

The code is as follows:

wget https://download.configserver.com/csf.tgz

Tar-xzf csf.tgz

CD CSF

SH install.sh

Just wait for setup to complete, and then edit the CSF configuration file:

The code is as follows:

/etc/csf/csf.conf

By default, CSF runs in test mode. Switch to product mode by setting the value of "testing" to 0.

The code is as follows:

testing = "0"

The following settings are the ports allowed on the server. In csf.conf, navigate to the following section and modify the port as needed:

The code is as follows:

# Inbound TCP ports are allowed

tcp_in = "20,21,25,53,80,110,143,443,465,587,993,995,16543"

# Allow outbound TCP ports

Tcp_out = "20,21,22,25,53,80,110,113,443,587,993,995,16543"

# Allow inbound UDP ports

udp_in = "20,21,53"

# Allow outbound UDP ports

# to allow the traceroute request to be issued, please add the 33,434:33,523 port range to the list

Udp_out = "20,21,53,113,123"

If you want to set it up as needed, it is recommended that you use only those ports that you need to avoid setting a wide range of ports. Also, avoid unsafe ports that use unsafe services. For example, only port 465 and 587来 are allowed to send e-mail, instead of the default SMTP port 25. (LCTT: If your mail server supports SMTPS)

Important: Never forget to allow custom SSH ports.

It is important to allow your IP address to pass through the firewall and not be blocked. The IP address is defined in the following file:

The code is as follows:

/etc/csf/csf.ignore

The blocked IP address appears in this file:

The code is as follows:

/etc/csf/csf.deny

Once the change is complete, use this command to reboot the CSF:

The code is as follows:

SUDO/ETC/INIT.D/CSF restart

The following is part of the Csf.deny file on a server to illustrate that CSF is useful:

The code is as follows:

211.216.48.205 # Lfd: (sshd) Failed SSH login from 211.216.48.205 (Kr/korea, Republic of/-): 5 at the last 3600 Secs-fri Mar 6 00:30:35 2015

103.41.124.53 # Lfd: (sshd) Failed SSH login from 103.41.124.53 (Hk/hong kong/-): 5 at the last 3600 Secs-fri Mar 6 01:0 6:46 2015

103.41.124.42 # Lfd: (sshd) Failed SSH login from 103.41.124.42 (Hk/hong kong/-): 5 at the last 3600 Secs-fri Mar 6 01:5 9:04 2015

103.41.124.26 # Lfd: (sshd) Failed SSH login from 103.41.124.26 (Hk/hong kong/-): 5 at the last 3600 Secs-fri Mar 6 02:4 8:26 2015

109.169.74.58 # Lfd: (sshd) Failed SSH login from 109.169.74.58 (gb/united kingdom/mail2.algeos.com): 5 at the last 3600 s ECS-FRI Mar 6 03:49:03 2015

You can see that the attempt to login through the violence of the IP address is blocked, it is not the eyes of the heart not annoying Ah!