Linux免费防火墙csf安装及配置

zhoji

一、csf防火墙

csf防火墙提供了基于web GUI的管理方式，并且提供 cPanel 插件，而且还可以基于CLI来管理.

1 防止暴力和谐密码，自动屏蔽连续登陆失败的IP;

2 管理网络端口，只开放必要的端口;

3 免疫小流量的 DDos 和 CC 攻击;

二、csf安装:

<1> 安装依赖包:

# yum -y install perl-libwww-perl perl iptables

<2> 下载并安装csf:

# wget http://www.configserver.com/free/csf.tgz

# tar -xzf csf.tgz

# cd csf

# sh install.sh

<3>测试csf是否能正常工作:

# per /etc/csf/csftest.pl

-bash: per: command not found

[root@sqj csf]# perl /etc/csf/csftest.pl

Testing ip_tables/iptable_filter...OK

Testing ipt_LOG...OK

Testing ipt_multiport/xt_multiport...OK

Testing ipt_REJECT...OK

Testing ipt_state/xt_state...OK

Testing ipt_limit/xt_limit...OK

Testing ipt_recent...OK

Testing xt_connlimit...OK

Testing ipt_owner/xt_owner...OK

Testing iptable_nat/ipt_REDIRECT...OK

Testing iptable_nat/ipt_DNAT...OK

RESULT: csf should function on this server

三、csf的配置:

csf的配置文件是 /etc/csf/csf.conf

参数:

<1>TESTING = "0"  //默认的1(测试模式)修改为0(正式模式;

<2>TCP_IN  TCP_OUT  

# Allow incoming TCP ports

TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"

# Allow outgoing TCP ports

TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995"

安全起见,可以修改SSH默认端口为其他端口,然后把相应的端口加入TCP_IN TCP_OUT中即可!

某些程序需要打开一定范围的端口,例如Pureftpd的passive mode,可使用30000:35000的方式打开30000-35000范围的端口.同上方式加入.

<3>ICMP_IN = "1"

# Allow incoming PING 是否允许别人ping你的服务器,默认为1,允许,0为不允许.

<4>免疫小规模ddos攻击

# To disable this feature, set this to 0

CT_LIMIT = "150"    //固定时间内同一个IP请求的次数

# Connection Tracking interval. Set this to the the number of seconds between

# connection tracking scans

CT_INTERVAL = "30"   //指上面的固定时间,单位为秒;

# Send an email alert if an IP address is blocked due to connection tracking

CT_EMAIL_ALERT = "1"   //是否发送邮件

# If you want to make IP blocks permanent then set this to 1, otherwise blocks

# will be temporary and will be cleared after CT_BLOCK_TIME seconds

CT_PERMANENT = "0"    //是否对可以IP采取永久屏蔽,默认为0,即临时性屏蔽.

# If you opt for temporary IP blocks for CT, then the following is the interval

# in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)

CT_BLOCK_TIME = "1800"  //临时性屏蔽时间

# If you don't want to count the TIME_WAIT state against the connection count

# then set the following to "1"

CT_SKIP_TIME_WAIT = "0"  //是否统计TIME_WAIT链接状态

<5>CT_PORTS = “”

# Leave this option empty to count all states against CT_LIMIT

CT_STATES = ""  对什么端口进行检测,为空则检测所有.通常只需定义对HTTP服务80端口进行检测.

四、黑名单、白名单

配置文件路径: /etc/csf/csf.allow  /etc/csf/csf.deny

若要禁某个IP,可以把对应IP(或IP段)加入csf.deny配置文件,同样可以使用命令csf -d IP.

然后,重启csf. /etc/init.d/csf restart 或者 csf -r 都可以重启.

五、卸载csf

执行以下命令即可卸载csf

#cd /etc/csf

#sh uninstall.sh