CSF Firewall in ISPConfig 3

Discussion in 'Installation/Configuration' started by prgs1971, Aug 21, 2013.

  1. prgs1971

    prgs1971 New Member

  2. tuyre

    tuyre New Member

    Try webmin

    You could possibly install webmin, which is compatible with CSF, and hence will have a GUI plugin.

    I think Webmin can sit alongside ISPConfig without draining resources, although I've never tried both myself. It's something you could experiment with.

    Install webmin 1st i think.

    http://www.webmin.com/
    then
    http://configserver.com/free/csf/install.txt

    Hope that helps.
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    You can use any Firewall with ispconfig but only Bastille Firewall and UFW in ispconfig. So asl long as you dont activate the firewall in ispconfig, you can use the csf firewall on your server. webmin is not required if you want to configure csf on the shell.
     
  4. tuyre

    tuyre New Member


    If you're happy with the Command prompt. Simply follow the instructions from here to install..

    http://configserver.com/free/csf/install.txt


    You can edit /etc/csf/csf.allow in order to add your IP address or range.

    You can edit /etc/csf/csf.conf in order to improve security. try changing some of the following settings (not all will apply to all systems):-

    [I have written with RHEL/Centos in mind]


    Check csf SYSLOG_CHECK option
    --------------------------------

    nano /etc/csf/csf.conf

    Search for "SYSLOG_CHECK" and turn it on writing something like "600". The 600 means 600 seconds for each check.



    Check for DNS recursion restrictions
    -------------------------------------

    nano /etc/named.conf

    In options {

    Add this...

    allow-recursion { localnets; };

    ... and restart server


    Check SSH UseDNS
    -----------------

    You should disable UseDNS by editing nano /etc/ssh/sshd_config and setting:
    UseDNS no
    Otherwise, lfd will be unable to track SSHD login failures successfully as the log files will not report IP addresses

    /sbin/service sshd restart


    Mail Check
    -----------

    [Check exim for extended logging (log_selector)]

    nano /etc/exim.conf

    add following line under log_selector = \

    +arguments +subject +received_recipients \




    PHP Check
    ---------
    Check php for disable_functions
    --------------------------------


    nano /usr/local/lib/php.ini or maybe found at /etc/php.ini

    search for "disable_functions" and change to...

    disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, allow_url_fopen



    Check php for ini_set disabled
    -------------------------------

    nano /usr/local/lib/php.ini [or maybe found at /etc/php.ini]

    *** DRUPAL needs init_set, so I did not add it to disable_functions line above ***



    Check php for Suhosin
    ---------------------
    You should recompile PHP with Suhosin to add greater security to PHP


    Check VPS FTP PASV hole on some systems
    ------------------------------------------------------
    Since the Virtuozzo VPS iptables ip_conntrack_ftp kernel module is currently broken you have to open a PASV port hole in iptables for incoming FTP connections to work correctly. See the csf readme.txt under 'A note about FTP Connection Issues' on how to do this



    Check /tmp is mounted as a filesystem
    ----------------------------------------

    typing nano /etc/fstab

    ...add following line...

    none /tmp tmpfs nodev,nosuid,noexec 0 0

    reboot server



    Check /var/tmp is mounted as a filesystem
    ------------------------------------------

    typing nano /etc/fstab

    ...add following line...

    none /var/tmp tmpfs nodev,nosuid,noexec 0 0

    reboot server




    Check /dev/shm is mounted noexec,nosuid
    -----------------------------------------

    typing nano /etc/fstab

    ...find the following line...

    none /dev/shm tmpfs default 0 0

    change to...

    none /dev/shm tmpfs noexec,nosuid 0 0

    reboot server
     
  5. concept21

    concept21 Member

    There are many great functions in the newest CSF version 6.4.

    It allows DDNS hostname, checks apache mod_security log and blocks malicious hacker, plus many good old things! Works with ISPConfig 3!
     

Share This Page