1) Configuration in node(Main Server):
Before starting the csf installation check whether the following modules are inserted in the kernel:
ipt_conntrack
ip_tables
ipt_LOG
ipt_multiport
ipt_REJECT
ipt_state
ipt_limit
ipt_recent
ipt_owner
iptable_nat
You can check it as follows
# lsmod |grep -i
If not insert these modules into the kernel
#modprobe
eg: modprobe ipt_recent
Add these modules to iptable configuration as follows
# vi /etc/sysconfig/iptables-config
Add the following in this file
IPTABLES_MODULES="iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ip_conntrack_irc ipt_conntrack ipt_state ipt_helper iptable_nat ip_nat_ftp ip_nat_irc"
Add these modules in the VPS configuration file
# vi /etc/sysconfig/vz-scripts/100.conf
IPTABLES_MODULES="iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ip_conntrack_irc ipt_conntrack ipt_state ipt_helper iptable_nat ip_nat_ftp ip_nat_irc"
Main server(node) configuration is over. Now restart the vps
# vzctl restart
eg: vzctl restart 100
2) VPS configurttion:
Enter in to VPS
#cd /usr/local/src/
# wget http://www.configserver.com/free/csf.tgz
# tar zxvf csf.tgz
# cd csf
# ./install.sh
To test all the iptable modules are available
# ./csftest.pl
If you are running apf_bfd firewall, it has to be removed for csf works
# ./remove_apf_bfd.sh
Now to configure csf config file to implement firewall as per our need
# vi /etc/csf/csf.conf
TESTING = “1"
(We will change it to zero “0″ when we finished and sure we have configured correctly)
TCP_IN = “20,21,22,25,53,80,110,143,443,465,587,993,995″
TCP_OUT = “20,21,22,25,53,80,110,113,443″
UDP_IN = “20,21,53″
UDP_OUT = “20,21,53,113,123"
(Put your all ports which you want to be open on your server for incoming & outgoing traffic seperated by comma)
PORTFLOOD = “80;tcp;20;5″
(To protect your server any specific port from DOS attacks, you can define it in PORTFLOOD tag. By default its empty and i did like to limit 20 connections per 5 sec to port 80 (webserver))
After this save the file and restart the csf service
# /etc/init.d/csf start
If you completed with configuation and sure that every rules is implemented correctly then change Testing from 1 to 0 for run CSF permanently.
TESTING = “0″
and restart the service again to activate it
# /etc/init.d/csf restart
# lsmod |grep -i
If not insert these modules into the kernel
#modprobe
eg: modprobe ipt_recent
Add these modules to iptable configuration as follows
# vi /etc/sysconfig/iptables-config
Add the following in this file
IPTABLES_MODULES="iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ip_conntrack_irc ipt_conntrack ipt_state ipt_helper iptable_nat ip_nat_ftp ip_nat_irc"
Add these modules in the VPS configuration file
# vi /etc/sysconfig/vz-scripts/100.conf
IPTABLES_MODULES="iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ip_conntrack_irc ipt_conntrack ipt_state ipt_helper iptable_nat ip_nat_ftp ip_nat_irc"
Main server(node) configuration is over. Now restart the vps
# vzctl restart
eg: vzctl restart 100
2) VPS configurttion:
Enter in to VPS
#cd /usr/local/src/
# wget http://www.configserver.com/free/csf.tgz
# tar zxvf csf.tgz
# cd csf
# ./install.sh
To test all the iptable modules are available
# ./csftest.pl
If you are running apf_bfd firewall, it has to be removed for csf works
# ./remove_apf_bfd.sh
Now to configure csf config file to implement firewall as per our need
# vi /etc/csf/csf.conf
TESTING = “1"
(We will change it to zero “0″ when we finished and sure we have configured correctly)
TCP_IN = “20,21,22,25,53,80,110,143,443,465,587,993,995″
TCP_OUT = “20,21,22,25,53,80,110,113,443″
UDP_IN = “20,21,53″
UDP_OUT = “20,21,53,113,123"
(Put your all ports which you want to be open on your server for incoming & outgoing traffic seperated by comma)
PORTFLOOD = “80;tcp;20;5″
(To protect your server any specific port from DOS attacks, you can define it in PORTFLOOD tag. By default its empty and i did like to limit 20 connections per 5 sec to port 80 (webserver))
After this save the file and restart the csf service
# /etc/init.d/csf start
If you completed with configuation and sure that every rules is implemented correctly then change Testing from 1 to 0 for run CSF permanently.
TESTING = “0″
and restart the service again to activate it
# /etc/init.d/csf restart
0 comments:
Post a Comment