Installation on CentOS 6/7
yum install wget vim perl-libwww-perl.noarch perl-Time-HiRes cd /usr/local/src/ wget https://download.configserver.com/csf.tgz tar xvfz csf.tgz cd csf sh remove_apf_bfd.sh sh install.sh
On CentOS 7:
systemctl stop firewalld systemctl disable firewalld
Configure at least: TCP_IN, TCP_OUT, UDP_IN, UDP:OUT. Specifically I leave at least (all TCP only):
80 & 443 for HTTP & HTTPS (both eventually needed for web sites but also for downloads, e.g. using wget)
25 & 587 for SMTP = mail sending (even if this server won't accept mail, you need these open if any process may send mail)
- non-default ssh port (changed previously)
- set TESTING = "0"
Activate & start:
systemctl start csf systemctl start lfd
chkconfig --level 235 csf on service csf restart
Just in case, verify it's enabled at system start
DirectAdmin: lfd should now appear as a running service
check updates work
# csf -u
This was needed on CentOS 7:
# yum install perl-LWP-Protocol-https
otherwise error: Oops: Unable to download: Protocol scheme 'https' is not supported (LWP::Protocol::https not installed)
Be aware of some limits
Recommended default rough approximate limit of 1000 blocked IPs
Integration with DirectAdmin Brute Force Monitor
Taken mostly from Poralix
Warning: make sure you have alternative access to your server, e.g. several possible IPs, as you can be accidentally blocking yourself!
cd /usr/local/directadmin/scripts/custom/ [ -r block_ip.sh ] && cp block_ip.sh block_ip.sh.bak [ -r unblock_ip.sh ] && cp unblock_ip.sh unblock_ip.sh.bak wget -O block_ip.sh http://files.plugins-da.net/dl/csf_block_ip.sh.txt wget -O unblock_ip.sh http://files.plugins-da.net/dl/csf_unblock_ip.sh.txt wget -O show_blocked_ips.sh http://files.plugins-da.net/dl/csf_show_blocked_ips.sh.txt wget -O brute_force_notice_ip.sh http://files.directadmin.com/services/all/brute_force_notice_ip.sh chmod 700 block_ip.sh show_blocked_ips.sh unblock_ip.sh brute_force_notice_ip.sh touch /root/blocked_ips.txt /root/exempt_ips.txt chown diradmin:diradmin block_ip.sh show_blocked_ips.sh unblock_ip.sh brute_force_notice_ip.sh touch /root/blocked_ips.txt /root/exempt_ips.txt
Review DirectAdmin settings
In DA main page - Administrator Settings (Extra Features bottom section), there's "Notify Admins after an IP has..." and other settings related to this feature. Review & eventually adjust.
- Reduce the number of attempts for notify
- From an IP that you can afford to be blocked from (i.e. you can access from a different IP) make that number of failed attemps -- you should be blocked
Excessive resource usage notices
You may get email warnings of "Excessive resource usage" for system daemons. This feature is intended for users processes, therefore system daemons should be excluded. The most likely reason for these messages is that the daemon is not included in the whitelist file, or is on a different path. You may alternatively whitelist a (system) user instead of a process (this was needed specifically for the mysql user on CentOS 7.3).
- Fix (I include a few cases I found necessary):
# vi /etc/csf/csf.pignore ... exe:/usr/libexec/dovecot/lmtp user:mysql ... # service lfd restart
Relax port scanning blocks
Sometimes the port scanning feature is too sensitive. Specifically when configuring accounts in some email or FTP clients that make tries on several ports: if you use a wrong password a few times, your IP is likely to be temporarily blocked. To avoid this I increase to 30 the PS_LIMIT default value of 10.
Block an entire country
CC_DENY (read comments/warnings in file)