ConfigServer Firewall (csf)

The mains scripts provided by the csf are:

# Straight-forward SPI (Stateful Packet Inspection) iptables firewall script.
# Daemon process that checks for login authentication failures for:

* courier imap and pop3
* ssh
* non-ssl cpanel / whm / webmail (cPanel servers only)
* pure-pftd
* password protected web pages (htpasswd)
* mod_security failures

# POP3/IMAP login tracking to enforce logins per hour
# SSH login notification
# Excessive connection blocking
# WHM iptables report log (cPanel servers only)
# Block traffic on unused server IP addresses - helps reduce the risk to your server
# Alert when end-user scripts sending excessive emails per hour - for identifying spamming scripts
# Suspicious process reporting - reports potential exploits running on the server
# Excessive user processes reporting
# Suspicious file reporting - reports potential exploit files in /tmp and similar directories
# Directory and file watching - reports if a watched directory or a file changes
# Server Security Check - Performs a basic security and settings check on the server (cPanel servers only)
# Alert sent if server load average remains high for a specified length of time
# mod_security log reporting (if installed)

ConfigServer Security & Firewall

CSF is an add-on product for cPanel servers running on Linux.

This suite of scripts provides:

1. A straight-forward SPI iptables firewall script
2. A daemon process that checks for Login Authentication
3. A WHM configuration interface

ConfigServer Firewall (csf)

CSF is a Stateful Packet Inspection (SPI) iptables firewall that may not be as complicated and comprehensive as others, but is straight-forward, easy and flexible to configure and secure with more checks to ensure smooth operation.

Login Failure Daemon (lfd)

LFD is daemon process that runs all the time and periodically (every X seconds) scans the latest log file entries for login attempts against your server that continually fail within a short period of time. Such attempts are often called “Brute-force attacks” and the daemon process responds very quickly to such patterns and blocks offending IP’s quickly.

lfd is also integrated into chkservd on installation so that the WHM > Service
Manager > will restart lfd if it fails for any reason.

WHM Configuration Interface
To help with the ease and flexibility of the suite , csf and lfd developed with a front end
which is accessible by the root account through WHM. From there you can modify the configuration files and stop, start and restart the applications and check their status. This makes configuring and managing the firewall very simple indeed.

2. csf Principles
The idea with csf, as with most iptables firewall configurations, is to block
everything and then allow through only those connections that you want. This is
done in iptables by DROPPING all connections in and out of the server on all
protocols. Then allow traffic in and out from existing connections. Then open
ports up in and outgoing for both TCP and UDP individually.

This way we can control exactly what traffic is allowed in and out of the
server and helps protect the server from malicious attack.

A port filtering firewall can help is when a user level compromise occurs and a hacker installs DOS tools to effect other servers. A firewall configured to block outgoing connections except on specific ports can help prevent DOS attacks from working and make it immediately apparent to you from the system logs.

3. lfd Principles

One of the best ways to protect the server from inbound attack against network
daemons is to monitor their authentication logs. Invalid login attempts which
happen in a short space of time from the same source can often mean someone is
attempting to brute-force their way into the server, usually by guessing
usernames and passwords and therefore generating authentication and login
failures.

lfd can monitor the most commonly abused protocols, SSHD, POP3, IMAP, FTP and
HTTP password protection. Unlike other applications, lfd is a daemon process
that monitors logs continuously and so can react within seconds of detecting
such attempts.

Once the number of failed login attempts is reached, lfd immediately forks a
sub-process and uses csf to block the offending IP address from both in and
outgoing connections. Stopping the attack in its tracks in a quick and timely
manner.

If you want to know when lfd blocks an IP address you can enable the email
alert (which is on by default) and you should watch the log file in
/var/log/lfd.log. If you use logcheck, you can add it to your log monitoring
by editing logcheck.sh and adding the line:

$LOGTAIL /var/log/lfd.log >> $TMPDIR/check.$$

4. csf Command Line Options

You can view the csf command line options by using:

# csf -h

Usage: /usr/sbin/csf [option] [value]

Option Meaning
-h, –help Show this message
-l, –status List/Show iptables configuration
-s, –start Start firewall rules
-f, –stop Flush/Stop firewall rules
-r, –restart Restart firewall rules
-a, –add [ip] Add an IP address to be whitelisted to /etc/csf.allow
-d, –deny [ip] Add an IP address to be blocked to /etc/csf.deny
-u, –update Checks for updates to csf+lfd and performs an upgrade if
available
-x, –disable Disable csf and lfd
-e, –enable Enable csf and lfd if previously disabled
-v, –version Show csf version

These options allow you to easily and quickly control and view csf. All the
configuration files for csf are in /etc/csf and include:

csf.conf - the main configuration file, it has helpful comments explaining what each option does
csf.allow - a list of IP’s and CIDR addresses that should always be allowed through the firewall
csf.deny - a list of IP’s and CIDR addresses that should never be allowed through the firewall

If you modify any of the files listed above, you will need to restart csf to
have them take effect. Both csf.allow and csf.deny can have comments after the IP address listed. The comments must be on the same line as the IP address otherwise the IP rotation of csf.deny will remove them.

You can also include comments when using the csf -a or csf -d commands, but in
those cases you must not use a # like this:

csf -d 11.22.33.44 Added because I don’t like them

5. lfd Command Line Options

lfd doesn’t have any command line options of its own but is controlled through
the init script /etc/init.d/lfd which stops and starts the daemon. It is
configured using the /etc/csf/csf.conf file.

The best way to see what lfd is up to is to take a look in /var/log/lfd.log
where its activities are logged.

The various email alert templates follow, care should be taken if you
modify that file to maintain the correct format:

/etc/csf/alert.txt - for port blocking emails
/etc/csf/tracking.txt - for POP3/IMAP blocking emails
/etc/csf/connectiontracking.txt - for connection tracking emails
/etc/csf/processtracking.txt - for process tracking alert emails
/etc/csf/usertracking.txt - for user process tracking alert emails
/etc/csf/sshalert.txt - for SSH login emails
/etc/csf/sualert.txt - for SU alert emails
/etc/csf/scriptalert.txt - for script alert emails
/etc/csf/filealert.txt - for suspicious file alert emails
/etc/csf/watchalert.txt - for watched file and directory change alert emails
/etc/csf/loadalert.txt - for high load average alert emails
/etc/csf/resalert.txt - for process resource alert emails

If you have problems getting lfd to start you can edit /etc/csf/lfd.pl and set
the $debug variable to 1. This will prevent the daemon process from forking and
allow you to see any perl errors that might be occurring.

7. Script Email Alerts

lfd can scan for emails being sent through exim from scripts on the server.

To use this feature you must add an extended email logging line to WHM >
Exim Configuration Editor > Switch to Advanced Mode > in the first textbox
add the following line:

log_selector = +arguments +subject

If you already already use extended exim logging, then you need to either
include +arguments or use +all

This setting will then send an alert email if more than LF_SCRIPT_LIMIT lines
appear with the same cwd= path in them within an hour. This can be useful in
identifying spamming scripts on a server, especially PHP scripts running
under the nobody account. The email that is sent includes the exim log lines
and also attempts to find scripts that send email in the path that may be the
culprit.

This option uses the /etc/csf/scriptalert text file for alert emails.

If you enable the option LF_SCRIPT_ALERT then lfd will disable the path using
chattr +i and chmod 000 so that the user cannot re-enable it. The alert email
also then includes the commands needed to re-enable the offending path.

Any false-positives can be added to /etc/csf/csf.signore and lfd will then
ignore those listed scripts.

8. Process Tracking

This option enables tracking of user and nobody processes and examines them for
suspicious executables or open network ports. Its purpose is to identify
potential exploit processes that are running on the server.
If a suspicious process is found an alert email is sent with relevant information.

It is then the responsibility of the recipient to investigate the process
further as the script takes no further action. Processes (PIDs) are only
reported once unless lfd is restarted.

There is an ignore file /etc/csf/csf.pignore which can be used to whitelist
either usernames or full paths to binaries

You must use the following format:

exe:/full/path/to/file
user:username
cmd:command line

The command line as reported in /proc has the trailing null character removed
and all other occurrences replaced with a space. So, the line you specify in
the file should have space separators for the command line arguments, not null
characters.

The email alerts are sent using the processtracking.txt email template.

It should be noted that this feature will not pickup a root compromise as root
processes are ignored - you should use established IDS tools for such security
considerations.

9. Directory Watching

Directory Watching enables lfd to check /tmp and /dev/shm and other pertinent
directories for suspicious files, i.e. script exploits.

If a suspicious file is found an email alert is sent using the template
filealert.txt.

To remove any suspicious files found during directory watching, enable
corresponding setting the suspicious files will be appended to a tarball in
/etc/csf/suspicious.tar and deleted from their original location. Symlinks are
simply removed.

If you want to extract the tarball to your current location, use:
tar -xpf /etc/csf/suspicious.tar
This will preserver the path and permissions of the original file.

The lfd directory watching will ignore the files which added in csf.fignore files
/etc/csf/csf.fignore
You must specify the full path to the file

/tmp/clamav.*

You can also add entries to ignore files owner by a particular user by
preceding it with user:, for example:
user:bob

Note: files owned by root are ignored

The second aspect of Directory Watching is enabled with LF_DIRWATCH_FILE. This
option allows you to have lfd watch a particular file or directory for changes
and should they change and email alert using watchalert.txt is sent. It uses a
simple md5sum match from the output of “ls -laAR” on the entry and so will
traverse directories if specified.

10. Advanced Allow/Deny Filters

In /etc/csf.allow and /etc/csf.deny you can add more complex port and ip
filters using the following format (you must specify a port AND an IP address):

tcp/udp:in/out:s/d=port:s/d=ip:u=uid

Broken down:

tcp/udp : EITHER tcp OR udp protocol
in/out : EITHER incoming OR outgoing connections
s/d=port : EITHER source OR destination port number (use a _ for a port range)
s/d=ip : EITHER source OR destination IP address
u/g=UID : EITHER UID or GID of source packet, implies outgoing connections, s/d=IP value is ignored

Examples:

# TCP connections inbound to port 3306 from IP 11.22.33.44
tcp:in:d=3306:s=11.22.33.44

# UDP connections outbound to port 22 on IP 11.22.33.44
udp:out:d=22:d=11.22.33.44

Installation

wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

If you would like to disable APF+BFD (which you will need to do if you have
them installed otherwise they will conflict horribly):

sh disable_apf_bfd.sh

That’s it. You can then configure csf and lfd in WHM, or edit the files
directly in /etc/csf/*

Uninstallation

Removing csf and lfd is even more simple:

cd /etc/csf
sh uninstall.sh

Article Authored by Sibu Skariah,

Author, Sibu, is a Sr.Systems Engineer with SupportPRO. Sibu specializes in Windows and Linux servers. SupportPRO offers 24X7 technical support services to Web hosting companies and service providers.