CSF Firewall in ISPConfig 3

Discussion in 'Installation/Configuration' started by prgs1971, Aug 21, 2013.

  1. prgs1971

    prgs1971 New Member

  2. tuyre

    tuyre New Member

    Try webmin

    You could possibly install webmin, which is compatible with CSF, and hence will have a GUI plugin.

    I think Webmin can sit alongside ISPConfig without draining resources, although I've never tried both myself. It's something you could experiment with.

    Install webmin 1st i think.


    Hope that helps.
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    You can use any Firewall with ispconfig but only Bastille Firewall and UFW in ispconfig. So asl long as you dont activate the firewall in ispconfig, you can use the csf firewall on your server. webmin is not required if you want to configure csf on the shell.
  4. tuyre

    tuyre New Member

    If you're happy with the Command prompt. Simply follow the instructions from here to install..


    You can edit /etc/csf/csf.allow in order to add your IP address or range.

    You can edit /etc/csf/csf.conf in order to improve security. try changing some of the following settings (not all will apply to all systems):-

    [I have written with RHEL/Centos in mind]

    Check csf SYSLOG_CHECK option

    nano /etc/csf/csf.conf

    Search for "SYSLOG_CHECK" and turn it on writing something like "600". The 600 means 600 seconds for each check.

    Check for DNS recursion restrictions

    nano /etc/named.conf

    In options {

    Add this...

    allow-recursion { localnets; };

    ... and restart server

    Check SSH UseDNS

    You should disable UseDNS by editing nano /etc/ssh/sshd_config and setting:
    UseDNS no
    Otherwise, lfd will be unable to track SSHD login failures successfully as the log files will not report IP addresses

    /sbin/service sshd restart

    Mail Check

    [Check exim for extended logging (log_selector)]

    nano /etc/exim.conf

    add following line under log_selector = \

    +arguments +subject +received_recipients \

    PHP Check
    Check php for disable_functions

    nano /usr/local/lib/php.ini or maybe found at /etc/php.ini

    search for "disable_functions" and change to...

    disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, allow_url_fopen

    Check php for ini_set disabled

    nano /usr/local/lib/php.ini [or maybe found at /etc/php.ini]

    *** DRUPAL needs init_set, so I did not add it to disable_functions line above ***

    Check php for Suhosin
    You should recompile PHP with Suhosin to add greater security to PHP

    Check VPS FTP PASV hole on some systems
    Since the Virtuozzo VPS iptables ip_conntrack_ftp kernel module is currently broken you have to open a PASV port hole in iptables for incoming FTP connections to work correctly. See the csf readme.txt under 'A note about FTP Connection Issues' on how to do this

    Check /tmp is mounted as a filesystem

    typing nano /etc/fstab

    ...add following line...

    none /tmp tmpfs nodev,nosuid,noexec 0 0

    reboot server

    Check /var/tmp is mounted as a filesystem

    typing nano /etc/fstab

    ...add following line...

    none /var/tmp tmpfs nodev,nosuid,noexec 0 0

    reboot server

    Check /dev/shm is mounted noexec,nosuid

    typing nano /etc/fstab

    ...find the following line...

    none /dev/shm tmpfs default 0 0

    change to...

    none /dev/shm tmpfs noexec,nosuid 0 0

    reboot server
  5. concept21

    concept21 Member

    There are many great functions in the newest CSF version 6.4.

    It allows DDNS hostname, checks apache mod_security log and blocks malicious hacker, plus many good old things! Works with ISPConfig 3!

Share This Page