一、csf防火墙
csf防火墙提供了基于web GUI的管理方式,并且提供 cPanel 插件,而且还可以基于CLI来管理.
1 防止暴力破解密码,自动屏蔽连续登陆失败的IP;
2 管理网络端口,只开放必要的端口;
3 免疫小流量的 DDos 和 CC 攻击;
二、csf安装:
<1> 安装依赖包:
# yum -y install perl-libwww-perl perl iptables
<2> 下载并安装csf:
# wget https://www.configserver.com/free/csf.tgz
# tar -xzf csf.tgz
# cd csf
# sh install.sh
<3>测试csf是否能正常工作:
# per /etc/csf/csftest.pl
-bash: per: command not found
[root@sqj csf]# perl /etc/csf/csftest.pl
Testing ip_tables/iptable_filter…OK
Testing ipt_LOG…OK
Testing ipt_multiport/xt_multiport…OK
Testing ipt_REJECT…OK
Testing ipt_state/xt_state…OK
Testing ipt_limit/xt_limit…OK
Testing ipt_recent…OK
Testing xt_connlimit…OK
Testing ipt_owner/xt_owner…OK
Testing iptable_nat/ipt_REDIRECT…OK
Testing iptable_nat/ipt_DNAT…OK
RESULT: csf should function on this server
三、csf的配置:
csf的配置文件是 /etc/csf/csf.conf
参数:
<1>TESTING = “0” //默认的1(测试模式)修改为0(正式模式;
<2>TCP_IN TCP_OUT
# Allow incoming TCP ports
TCP_IN = “20,21,22,25,53,80,110,143,443,465,587,993,995”
# Allow outgoing TCP ports
TCP_OUT = “20,21,22,25,53,80,110,113,443,587,993,995”
安全起见,可以修改SSH默认端口为其他端口,然后把相应的端口加入TCP_IN TCP_OUT中即可!
某些程序需要打开一定范围的端口,例如Pureftpd的passive mode,可使用30000:35000的方式打开30000-35000范围的端口.同上方式加入.
<3>ICMP_IN = “1”
# Allow incoming PING 是否允许别人ping你的服务器,默认为1,允许,0为不允许.
<4>免疫小规模ddos攻击
# To disable this feature, set this to 0
CT_LIMIT = “150” //固定时间内同一个IP请求的次数
# Connection Tracking interval. Set this to the the number of seconds between
# connection tracking scans
CT_INTERVAL = “30” //指上面的固定时间,单位为秒;
# Send an email alert if an IP address is blocked due to connection tracking
CT_EMAIL_ALERT = “1” //是否发送邮件
# If you want to make IP blocks permanent then set this to 1, otherwise blocks
# will be temporary and will be cleared after CT_BLOCK_TIME seconds
CT_PERMANENT = “0” //是否对可以IP采取永久屏蔽,默认为0,即临时性屏蔽.
# If you opt for temporary IP blocks for CT, then the following is the interval
# in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)
CT_BLOCK_TIME = “1800” //临时性屏蔽时间
# If you don’t want to count the TIME_WAIT state against the connection count
# then set the following to “1”
CT_SKIP_TIME_WAIT = “0” //是否统计TIME_WAIT链接状态
<5>CT_PORTS = “”
# Leave this option empty to count all states against CT_LIMIT
CT_STATES = “” 对什么端口进行检测,为空则检测所有.通常只需定义对HTTP服务80端口进行检测.
四、黑名单、白名单
配置文件路径: /etc/csf/csf.allow /etc/csf/csf.deny
若要禁某个IP,可以把对应IP(或IP段)加入csf.deny配置文件,同样可以使用命令csf -d IP.
然后,重启csf. /etc/init.d/csf restart 或者 csf -r 都可以重启.
- 卸载csf
执行以下命令即可卸载csf
#cd /etc/csf
#sh uninstall.sh