There was an error in this gadget

Tuesday, May 18, 2010

How to configure csf on vps

Configure csf on vps

1) Configuration in node(Main Server):

Before starting the csf installation check whether the following modules are inserted in the kernel:

ipt_conntrack
ip_tables
ipt_LOG
ipt_multiport
ipt_REJECT
ipt_state
ipt_limit
ipt_recent
ipt_owner
iptable_nat

You can check it as follows

# lsmod |grep -i {modules}

If not insert these modules into the kernel

#modprobe {modules}
eg: modprobe ipt_recent

Add these modules to iptable configuration as follows

# vi /etc/sysconfig/iptables-config

Add the following in this file

IPTABLES_MODULES="iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ip_conntrack_irc ipt_conntrack ipt_state ipt_helper iptable_nat ip_nat_ftp ip_nat_irc"

Add these modules in the VPS configuration file

# vi /etc/sysconfig/vz-scripts/100.conf

IPTABLES_MODULES="iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ip_conntrack_irc ipt_conntrack ipt_state ipt_helper iptable_nat ip_nat_ftp ip_nat_irc"

Main server(node) configuration is over. Now restart the vps

# vzctl restart
eg: vzctl restart 100

2) VPS configurttion:

Enter in to VPS

#cd /usr/local/src/
# wget http://www.configserver.com/free/csf.tgz

# tar zxvf csf.tgz
# cd csf
# ./install.sh

To test all the iptable modules are available

# ./csftest.pl

If you are running apf_bfd firewall, it has to be removed for csf works

# ./remove_apf_bfd.sh

Now to configure csf config file to implement firewall as per our need

# vi /etc/csf/csf.conf

TESTING = “1"
(We will change it to zero “0″ when we finished and sure we have configured correctly)

TCP_IN = “20,21,22,25,53,80,110,143,443,465,587,993,995″
TCP_OUT = “20,21,22,25,53,80,110,113,443″
UDP_IN = “20,21,53″
UDP_OUT = “20,21,53,113,123"
(Put your all ports which you want to be open on your server for incoming & outgoing traffic seperated by comma)

PORTFLOOD = “80;tcp;20;5″
(To protect your server any specific port from DOS attacks, you can define it in PORTFLOOD tag. By default its empty and i did like to limit 20 connections per 5 sec to port 80 (webserver))

After this save the file and restart the csf service

# /etc/init.d/csf start

If you completed with configuation and sure that every rules is implemented correctly then change Testing from 1 to 0 for run CSF permanently.

TESTING = “0″

and restart the service again to activate it

# /etc/init.d/csf restart



No comments:

Post a Comment