{"id":858,"date":"2016-06-10T02:17:25","date_gmt":"2016-06-09T18:17:25","guid":{"rendered":"http:\/\/cn.hostease.com\/xueyuan\/?p=858"},"modified":"2025-01-02T15:48:41","modified_gmt":"2025-01-02T07:48:41","slug":"linux%e5%85%8d%e8%b4%b9%e9%98%b2%e7%81%ab%e5%a2%99csf%e5%ae%89%e8%a3%85%e5%8f%8a%e9%85%8d%e7%bd%ae","status":"publish","type":"post","link":"https:\/\/cn.hostease.com\/xueyuan\/jishu\/linux\/linux%e5%85%8d%e8%b4%b9%e9%98%b2%e7%81%ab%e5%a2%99csf%e5%ae%89%e8%a3%85%e5%8f%8a%e9%85%8d%e7%bd%ae\/","title":{"rendered":"Linux\u514d\u8d39\u9632\u706b\u5899csf\u5b89\u88c5\u53ca\u914d\u7f6e"},"content":{"rendered":"

\u4e00\u3001csf\u9632\u706b\u5899<\/p>\n

csf\u9632\u706b\u5899\u63d0\u4f9b\u4e86\u57fa\u4e8eweb GUI\u7684\u7ba1\u7406\u65b9\u5f0f\uff0c\u5e76\u4e14\u63d0\u4f9b cPanel \u63d2\u4ef6\uff0c\u800c\u4e14\u8fd8\u53ef\u4ee5\u57fa\u4e8eCLI\u6765\u7ba1\u7406.<\/p>\n

1 \u9632\u6b62\u66b4\u529b\u7834\u89e3\u5bc6\u7801\uff0c\u81ea\u52a8\u5c4f\u853d\u8fde\u7eed\u767b\u9646\u5931\u8d25\u7684IP;<\/p>\n

2 \u7ba1\u7406\u7f51\u7edc\u7aef\u53e3\uff0c\u53ea\u5f00\u653e\u5fc5\u8981\u7684\u7aef\u53e3;<\/p>\n

3 \u514d\u75ab\u5c0f\u6d41\u91cf\u7684 DDos \u548c CC \u653b\u51fb;<\/p>\n

\u4e8c\u3001csf\u5b89\u88c5:<\/p>\n

<1> \u5b89\u88c5\u4f9d\u8d56\u5305:<\/p>\n

# yum -y install perl-libwww-perl perl iptables<\/p>\n

<2> \u4e0b\u8f7d\u5e76\u5b89\u88c5csf:<\/p>\n

# wget https:\/\/www.configserver.com\/free\/csf.tgz<\/u><\/p>\n

# tar -xzf csf.tgz<\/p>\n

# cd csf<\/p>\n

# sh install.sh<\/p>\n

<3>\u6d4b\u8bd5csf\u662f\u5426\u80fd\u6b63\u5e38\u5de5\u4f5c:<\/p>\n

# per \/etc\/csf\/csftest.pl<\/p>\n

-bash: per: command not found<\/p>\n

[root@sqj csf]# perl \/etc\/csf\/csftest.pl<\/p>\n

Testing ip_tables\/iptable_filter…OK<\/p>\n

Testing ipt_LOG…OK<\/p>\n

Testing ipt_multiport\/xt_multiport…OK<\/p>\n

Testing ipt_REJECT…OK<\/p>\n

Testing ipt_state\/xt_state…OK<\/p>\n

Testing ipt_limit\/xt_limit…OK<\/p>\n

Testing ipt_recent…OK<\/p>\n

Testing xt_connlimit…OK<\/p>\n

Testing ipt_owner\/xt_owner…OK<\/p>\n

Testing iptable_nat\/ipt_REDIRECT…OK<\/p>\n

Testing iptable_nat\/ipt_DNAT…OK<\/p>\n

RESULT: csf should function on this server<\/p>\n

\u4e09\u3001csf\u7684\u914d\u7f6e:<\/p>\n

csf\u7684\u914d\u7f6e\u6587\u4ef6\u662f \/etc\/csf\/csf.conf<\/p>\n

\u53c2\u6570:<\/p>\n

<1>TESTING = “0” \u00a0\/\/\u9ed8\u8ba4\u76841(\u6d4b\u8bd5\u6a21\u5f0f)\u4fee\u6539\u4e3a0(\u6b63\u5f0f\u6a21\u5f0f;<\/p>\n

<2>TCP_IN \u00a0TCP_OUT<\/p>\n

#\u00a0Allow incoming TCP ports<\/p>\n

TCP_IN = “20,21,22,25,53,80,110,143,443,465,587,993,995”<\/p>\n

# Allow outgoing TCP ports<\/p>\n

TCP_OUT = “20,21,22,25,53,80,110,113,443,587,993,995”<\/p>\n

\u5b89\u5168\u8d77\u89c1,\u53ef\u4ee5\u4fee\u6539SSH\u9ed8\u8ba4\u7aef\u53e3\u4e3a\u5176\u4ed6\u7aef\u53e3,\u7136\u540e\u628a\u76f8\u5e94\u7684\u7aef\u53e3\u52a0\u5165TCP_IN TCP_OUT\u4e2d\u5373\u53ef!<\/p>\n

\u67d0\u4e9b\u7a0b\u5e8f\u9700\u8981\u6253\u5f00\u4e00\u5b9a\u8303\u56f4\u7684\u7aef\u53e3,\u4f8b\u5982Pureftpd\u7684passive mode,\u53ef\u4f7f\u752830000:35000\u7684\u65b9\u5f0f\u6253\u5f0030000-35000\u8303\u56f4\u7684\u7aef\u53e3.\u540c\u4e0a\u65b9\u5f0f\u52a0\u5165.<\/p>\n

<3>ICMP_IN = “1”<\/p>\n

# Allow incoming PING \u662f\u5426\u5141\u8bb8\u522b\u4ebaping\u4f60\u7684\u670d\u52a1\u5668,\u9ed8\u8ba4\u4e3a1,\u5141\u8bb8,0\u4e3a\u4e0d\u5141\u8bb8.<\/p>\n

<4>\u514d\u75ab\u5c0f\u89c4\u6a21ddos\u653b\u51fb<\/p>\n

# To disable this feature, set this to 0<\/p>\n

CT_LIMIT = “150” \u00a0\u00a0\u00a0\/\/\u56fa\u5b9a\u65f6\u95f4\u5185\u540c\u4e00\u4e2aIP\u8bf7\u6c42\u7684\u6b21\u6570<\/p>\n

# Connection Tracking interval. Set this to the the number of seconds between<\/p>\n

# connection tracking scans<\/p>\n

CT_INTERVAL = “30” \u00a0\u00a0\/\/\u6307\u4e0a\u9762\u7684\u56fa\u5b9a\u65f6\u95f4,\u5355\u4f4d\u4e3a\u79d2;<\/p>\n

# Send an email alert if an IP address is blocked due to connection tracking<\/p>\n

CT_EMAIL_ALERT = “1” \u00a0\u00a0\/\/\u662f\u5426\u53d1\u9001\u90ae\u4ef6<\/p>\n

# If you want to make IP blocks permanent then set this to 1, otherwise blocks<\/p>\n

# will be temporary and will be cleared after CT_BLOCK_TIME seconds<\/p>\n

CT_PERMANENT = “0” \u00a0\u00a0\u00a0\/\/\u662f\u5426\u5bf9\u53ef\u4ee5IP\u91c7\u53d6\u6c38\u4e45\u5c4f\u853d,\u9ed8\u8ba4\u4e3a0,\u5373\u4e34\u65f6\u6027\u5c4f\u853d.<\/p>\n

# If you opt for temporary IP blocks for CT, then the following is the interval<\/p>\n

# in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)<\/p>\n

CT_BLOCK_TIME = “1800” \u00a0\/\/\u4e34\u65f6\u6027\u5c4f\u853d\u65f6\u95f4<\/p>\n

# If you don’t want to count the TIME_WAIT state against the connection count<\/p>\n

# then set the following to “1”<\/p>\n

CT_SKIP_TIME_WAIT = “0” \u00a0\/\/\u662f\u5426\u7edf\u8ba1TIME_WAIT\u94fe\u63a5\u72b6\u6001<\/p>\n

<5>CT_PORTS = \u201c\u201d<\/p>\n

# Leave this option empty to count all states against CT_LIMIT<\/p>\n

CT_STATES = “” \u00a0\u5bf9\u4ec0\u4e48\u7aef\u53e3\u8fdb\u884c\u68c0\u6d4b,\u4e3a\u7a7a\u5219\u68c0\u6d4b\u6240\u6709.\u901a\u5e38\u53ea\u9700\u5b9a\u4e49\u5bf9HTTP\u670d\u52a180\u7aef\u53e3\u8fdb\u884c\u68c0\u6d4b.<\/p>\n

\u56db\u3001\u9ed1\u540d\u5355\u3001\u767d\u540d\u5355<\/p>\n

\u914d\u7f6e\u6587\u4ef6\u8def\u5f84: \/etc\/csf\/csf.allow \u00a0\/etc\/csf\/csf.deny<\/p>\n

\u82e5\u8981\u7981\u67d0\u4e2aIP,\u53ef\u4ee5\u628a\u5bf9\u5e94IP(\u6216IP\u6bb5)\u52a0\u5165csf.deny\u914d\u7f6e\u6587\u4ef6,\u540c\u6837\u53ef\u4ee5\u4f7f\u7528\u547d\u4ee4csf -d IP.<\/p>\n

\u7136\u540e,\u91cd\u542fcsf. \/etc\/init.d\/csf restart \u6216\u8005 csf -r \u90fd\u53ef\u4ee5\u91cd\u542f.<\/p>\n