Linux免费防火墙csf安装及配置
一、csf防火墙csf防火墙提供了基于web GUI的管理方式,并且提供 cPanel 插件,而且还可以基于CLI来管理.1 防止暴力和谐密码,自动屏蔽连续登陆失败的IP;2 管理网络端口,只开放必要的端口;3 免疫小流量的 DDos 和 CC 攻击; 二、csf安装:<1> 安装依赖包:# yum -y install perl-libwww-perl perl iptables<2> 下载并安装csf:# wget http://www.configserver.com/free/csf.tgz# tar -xzf csf.tgz# cd csf# sh install.sh <3>测试csf是否能正常工作:# per /etc/csf/csftest.pl-bash: per: command not found# perl /etc/csf/csftest.plTesting ip_tables/iptable_filter...OKTesting ipt_LOG...OKTesting ipt_multiport/xt_multiport...OKTesting ipt_REJECT...OKTesting ipt_state/xt_state...OKTesting ipt_limit/xt_limit...OKTesting ipt_recent...OKTesting xt_connlimit...OKTesting ipt_owner/xt_owner...OKTesting iptable_nat/ipt_REDIRECT...OKTesting iptable_nat/ipt_DNAT...OK RESULT: csf should function on this server 三、csf的配置:csf的配置文件是 /etc/csf/csf.conf参数:<1>TESTING = "0"//默认的1(测试模式)修改为0(正式模式; <2>TCP_INTCP_OUT# Allow incoming TCP portsTCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"# Allow outgoing TCP portsTCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995"安全起见,可以修改SSH默认端口为其他端口,然后把相应的端口加入TCP_IN TCP_OUT中即可!某些程序需要打开一定范围的端口,例如Pureftpd的passive mode,可使用30000:35000的方式打开30000-35000范围的端口.同上方式加入. <3>ICMP_IN = "1"# Allow incoming PING 是否允许别人ping你的服务器,默认为1,允许,0为不允许. <4>免疫小规模ddos攻击# To disable this feature, set this to 0CT_LIMIT = "150" //固定时间内同一个IP请求的次数 # Connection Tracking interval. Set this to the the number of seconds between# connection tracking scansCT_INTERVAL = "30" //指上面的固定时间,单位为秒; # Send an email alert if an IP address is blocked due to connection trackingCT_EMAIL_ALERT = "1" //是否发送邮件 # If you want to make IP blocks permanent then set this to 1, otherwise blocks# will be temporary and will be cleared after CT_BLOCK_TIME secondsCT_PERMANENT = "0" //是否对可以IP采取永久屏蔽,默认为0,即临时性屏蔽. # If you opt for temporary IP blocks for CT, then the following is the interval# in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)CT_BLOCK_TIME = "1800"//临时性屏蔽时间 # If you don't want to count the TIME_WAIT state against the connection count# then set the following to "1"CT_SKIP_TIME_WAIT = "0"//是否统计TIME_WAIT链接状态 <5>CT_PORTS = “”# Leave this option empty to count all states against CT_LIMITCT_STATES = ""对什么端口进行检测,为空则检测所有.通常只需定义对HTTP服务80端口进行检测. 四、黑名单、白名单配置文件路径: /etc/csf/csf.allow/etc/csf/csf.deny若要禁某个IP,可以把对应IP(或IP段)加入csf.deny配置文件,同样可以使用命令csf -d IP.然后,重启csf. /etc/init.d/csf restart 或者 csf -r 都可以重启. 五、卸载csf执行以下命令即可卸载csf#cd /etc/csf#sh uninstall.sh
页:
[1]