在Rhel/CentOS 8/7上安装和使用CSF防火墙
时间:2020-02-23 14:39:12 来源:igfitidea点击:
如何在Rhel/CentOS 8上安装和使用CSF防火墙?
安装RHEL/CentOS 8服务器后的第一件事是将防火墙和硬盘服务器配置为任何形式的恶意访问。
基于RHEL的系统中使用的最受欢迎的防火墙服务是防火墙。
ConfigServer安全和防火墙(CSF)是一个强大的开源状态数据包检查(SPI)防火墙,登录/入侵检测和Linux服务器的安全应用程序。
在Rhel/CentOS上安装CSF防火墙8
如果系统未运行关键的应用程序,则可以升级已安装的软件包并重新启动。
sudo dnf -y update
完成后,安装Perl。
sudo dnf -y install @perl
检查Perl版本。
$perl -v This is perl 5, version 26, subversion 2 (v5.26.2) built for x86_64-linux-thread-multi (with 52 registered patches, see perl -V for more detail) Copyright 1987-2016, Larry Wall Perl Jan be copied only under the terms of either the Artistic License or the GNU General Public License, which Jan be found in the Perl 5 source kit. Complete documentation for Perl, including FAQ lists, should be found on this system using "man perl" or "perldoc perl". If you have access to the Internet, point your browser at http://www.perl.org/, the Perl Home Page.
使用自动化脚本安装CSF。
使用curl命令下载它。
curl -SL https://download.configserver.com/csf.tgz | tar -xzf
导航到创建的文件夹 - CSF:
cd csf
运行安装程序。
sudo sh install.sh
请参阅下面的示例输出。
测试安装
$sudo perl /usr/local/csf/bin/csftest.pl Testing ip_tables/iptable_filter…OK Testing ipt_LOG…OK Testing ipt_multiport/xt_multiport…OK Testing ipt_REJECT…OK Testing ipt_state/xt_state…OK Testing ipt_limit/xt_limit…OK Testing ipt_recent…OK Testing xt_connlimit…OK Testing ipt_owner/xt_owner…OK Testing iptable_nat/ipt_REDIRECT…OK Testing iptable_nat/ipt_DNAT…OK RESULT: csf should function on this server
在Rhel/CentOS 8上配置和启动CSF
我们现在在RHEL/CentOS 8上安装了CSF。
主要配置文件是 /etc/csf/csf.conf。
修改此文件以调整防火墙规则和策略。
请参阅下面的部分,以便允许的TCP和UDP端口。
禁用测试。
sudo perl -pi -w -e "s/TESTING = \"1\"/TESTING = \"0\"/" /etc/csf/csf.conf
忽略允许列表上的IP地址。
sudo perl -pi -w -e "s/IGNORE_ALLOW = \"0\"/IGNORE_ALLOW = \"1\"/" /etc/csf/csf.conf
安装程序将为我们添加Systemd服务文件。
我们可以通过运行来启动它。
sudo systemctl enable --now csf
确认服务状态。
$sudo systemctl status csf
● csf.service - ConfigServer Firewall & Security - csf
Loaded: loaded (/usr/lib/systemd/system/csf.service; enabled; vendor preset: disabled)
Active: active (exited) since Sun 2019-03-17 09:10:19 EAT; 10h ago
Main PID: 783 (code=exited, status=0/SUCCESS)
Tasks: 0 (limit: 11510)
Memory: 0B
CGroup: /system.slice/csf.service
Mar 17 09:10:19 rhel8.local csf[783]: ACCEPT all opt in * out lo ::/0 -> ::/0
Mar 17 09:10:19 rhel8.local csf[783]: LOGDROPOUT all opt in * out !lo ::/0 -> ::/0
Mar 17 09:10:19 rhel8.local csf[783]: LOGDROPIN all opt in !lo out * ::/0 -> ::/0
Mar 17 09:10:19 rhel8.local csf[783]: csf: FASTSTART loading DNS (IPv4)
Mar 17 09:10:19 rhel8.local csf[783]: csf: FASTSTART loading DNS (IPv6)
Mar 17 09:10:19 rhel8.local csf[783]: LOCALOUTPUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
Mar 17 09:10:19 rhel8.local csf[783]: LOCALINPUT all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
Mar 17 09:10:19 rhel8.local csf[783]: LOCALOUTPUT all opt in * out !lo ::/0 -> ::/0
Mar 17 09:10:19 rhel8.local csf[783]: LOCALINPUT all opt in !lo out * ::/0 -> ::/0
Mar 17 09:10:19 rhel8.local systemd[1]: Started ConfigServer Firewall & Security - csf.
CSF使用例子
块IP或者子网
sudo csf -d 192.168.0.20 sudo csf -d 192.168.0.0/24
示例
Adding 192.168.0.20 to csf.deny and iptables DROP… DROP all opt -- in !lo out * 192.168.0.20 -> 0.0.0.0/0 LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.0.20
从BlockList中删除IP/SubNet。
$sudo csf -dr 192.168.0.20 Removing rule… DROP all opt -- in !lo out * 192.168.0.20 -> 0.0.0.0/0 LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.0.20
允许防火墙上的IP地址。
$sudo csf -a 192.168.15.15 Adding 192.168.15.15 to csf.allow and iptables ACCEPT… ACCEPT all opt -- in !lo out * 192.168.15.15 -> 0.0.0.0/0 ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.15.15
阻止某些国家的
编辑行 CC_DENY
# Each option is a comma separated list of CC's, e.g. "US,GB,DE" CC_DENY = "" CC_ALLOW = ""
请参阅侦听连接的端口。
$sudo csf -p Ports listening for external connections and the executables running behind them: Port/Proto Open Conn PID/User Command Line Executable 22/tcp 4/6 4 (789/root) /usr/sbin/sshd -D -oCiphers=aes256-g... /usr/sbin/sshd 80/tcp 4/6 - (2580/root) /usr/sbin/httpd -DFOREGROUND /usr/sbin/httpd 80/tcp 4/6 - (2583/apache) /usr/sbin/httpd -DFOREGROUND /usr/sbin/httpd 80/tcp 4/6 - (2584/apache) /usr/sbin/httpd -DFOREGROUND /usr/sbin/httpd 80/tcp 4/6 - (2585/apache) /usr/sbin/httpd -DFOREGROUND /usr/sbin/httpd 80/tcp 4/6 - (2804/apache) /usr/sbin/httpd -DFOREGROUND /usr/sbin/httpd 443/tcp 4/6 - (2580/root) /usr/sbin/httpd -DFOREGROUND /usr/sbin/httpd 443/tcp 4/6 - (2583/apache) /usr/sbin/httpd -DFOREGROUND /usr/sbin/httpd 443/tcp 4/6 - (2584/apache) /usr/sbin/httpd -DFOREGROUND /usr/sbin/httpd 443/tcp 4/6 - (2585/apache) /usr/sbin/httpd -DFOREGROUND /usr/sbin/httpd 443/tcp 4/6 - (2804/apache) /usr/sbin/httpd -DFOREGROUND /usr/sbin/httpd 3306/tcp -/- - (2474/mysql) /usr/libexec/mysqld --basedir=/usr /usr/libexec/mysqld 68/udp -/- - (761/root) /usr/sbin/NetworkManager --no-daemon /usr/sbin/NetworkManager 161/udp -/- - (3129/root) /usr/sbin/snmpd -LS0-6d -f /usr/sbin/snmpd 323/udp -/- - (768/chrony) /usr/sbin/chronyd /usr/sbin/chronyd
当用户登录通过SSH时发送电子邮件
LF_SSH_EMAIL_ALERT = "1"
设置警报电子邮件
LF_ALERT_TO = "Hyman@theitroad"
向自己发送电子邮件了解安全检查。
csf -m Hyman@theitroad
访问CSF Web UI
CSF具有集成的Web UI,可用于配置。
启用UI /etc/csf/csf.conf文件。
UI = "1"
我们还可以设置自定义值:
# Set this to the port that want to bind this service to UI_PORT = "6666" # Leave blank to bind to all IP addresses on the server UI_IP = "" UI_USER = "admin" UI_PASS = "StrongAdminPassword"
然后向白名单添加IP地址。
sudo echo "YOUR_IP_ADDRESS" >> /etc/csf/ui/ui.allow
启动或者重新启动LFD服务
$sudo systemctl enable --now lfd
$systemctl status lfd
● lfd.service - ConfigServer Firewall & Security - lfd
Loaded: loaded (/usr/lib/systemd/system/lfd.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2019-03-17 20:05:10 EAT; 33s ago
Process: 21213 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)
Main PID: 21226 (lfd - sleeping)
Tasks: 1 (limit: 11510)
Memory: 392.1M
CGroup: /system.slice/lfd.service
└─21226 lfd - sleeping >
Mar 17 20:05:10 rhel8.local systemd[1]: Starting ConfigServer Firewall & Security - lfd…
Mar 17 20:05:10 rhel8.local systemd[1]: Started ConfigServer Firewall & Security - lfd.
