Installation on CentOS 6/7

Taken mostly from HowtoForge, Tecmint CSF&LFD. See also Linux Brigade CSF & LFD.

yum install wget vim perl-libwww-perl.noarch perl-Time-HiRes
cd /usr/local/src/
wget https://download.configserver.com/csf.tgz
tar xvfz csf.tgz
cd csf
sh remove_apf_bfd.sh
sh install.sh

check:

perl /etc/csf/csftest.pl

On CentOS 7:

systemctl stop firewalld
systemctl disable firewalld

edit:

vi /etc/csf/csf.conf 

Activate & start:

CentOS 7

systemctl start csf
systemctl start lfd

CentOS 6

chkconfig --level 235 csf on
service csf restart

Just in case, verify it's enabled at system start

reboot

DirectAdmin: lfd should now appear as a running service

check updates work

# csf -u

This was needed on CentOS 7:

# yum install perl-LWP-Protocol-https

otherwise error: Oops: Unable to download: Protocol scheme 'https' is not supported (LWP::Protocol::https not installed)

Limits

Be aware of some limits

http://forum.directadmin.com/showthread.php?t=48689

Integration with DirectAdmin Brute Force Monitor

Taken mostly from Poralix

Warning: make sure you have alternative access to your server, e.g. several possible IPs, as you can be accidentally blocking yourself!

cd /usr/local/directadmin/scripts/custom/
[ -r block_ip.sh ] && cp block_ip.sh block_ip.sh.bak
[ -r unblock_ip.sh ] && cp unblock_ip.sh unblock_ip.sh.bak
wget -O block_ip.sh http://files.plugins-da.net/dl/csf_block_ip.sh.txt
wget -O unblock_ip.sh http://files.plugins-da.net/dl/csf_unblock_ip.sh.txt
wget -O show_blocked_ips.sh http://files.plugins-da.net/dl/csf_show_blocked_ips.sh.txt
wget -O brute_force_notice_ip.sh http://files.directadmin.com/services/all/brute_force_notice_ip.sh
chmod 700 block_ip.sh show_blocked_ips.sh unblock_ip.sh brute_force_notice_ip.sh
touch /root/blocked_ips.txt /root/exempt_ips.txt
chown diradmin:diradmin block_ip.sh show_blocked_ips.sh unblock_ip.sh brute_force_notice_ip.sh
touch /root/blocked_ips.txt /root/exempt_ips.txt

Review DirectAdmin settings

In DA main page - Administrator Settings (Extra Features bottom section), there's "Notify Admins after an IP has..." and other settings related to this feature. Review & eventually adjust.

Test

Possible Adjustments

Excessive resource usage notices

You may get email warnings of "Excessive resource usage" for system daemons. This feature is intended for users processes, therefore system daemons should be excluded. The most likely reason for these messages is that the daemon is not included in the whitelist file, or is on a different path. You may alternatively whitelist a (system) user instead of a process (this was needed specifically for the mysql user on CentOS 7.3).

# vi /etc/csf/csf.pignore
...
exe:/usr/libexec/dovecot/lmtp
user:mysql
...
# service lfd restart

Relax port scanning blocks

Sometimes the port scanning feature is too sensitive. Specifically when configuring accounts in some email or FTP clients that make tries on several ports: if you use a wrong password a few times, your IP is likely to be temporarily blocked. To avoid this I increase to 30 the PS_LIMIT default value of 10.

Block an entire country

vi /etc/csf/csf.conf

More complex rules using regular expressions

http://forum.directadmin.com/showthread.php?t=53911

Csf-Lfd (last edited 2017-03-14 18:44:32 by JaumeSola)