HOWTO: CSF Firewall + LFD Login Failure Daemon

[littleoak]

The following is a guide to installing ConfigServer Services' firewall and login failure daemon.

Warning: The Latest version of CSF does not work properly with DirectAdmin on CentOS 5 machines with Apache 2+

CSF + LFD is a full security suite. I have provided a list of the features that I have personally tested and have made work on a DirectAdmin server. I will include this list at the bottom of this post.

CSF + LFD have most of the functions APF provides, and more security features and brute force detection tools than BFD provides. It provides protection for small-scale DDoS attacks and SYN flood protection. A script to uninstall APF and BFD is included.

To install:

First, check to make sure there are no existing copies of csf in the folder:

Code:

rm -fv csf.tgz

Then:

Code:

wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

CSF has now been installed at etc/csf

If you have APF and BFD installed you must remove them:

Code:

sh /etc/csf/remove_apf_bfd.sh

By default, the firewall is set to testing mode and many of the features are turned off. To turn your firewall on and modify the settings edit up your csf.conf file located in:

Code:

cd /etc/csf

I've created a generic csf.conf file that you may download from our server. This file will work on most DirectAdmin installations. I have only checked it on CentOS. Delete your current csf.conf file and:

Code:

cd etc/csf
wget http://oakdns.net/downloads/csf.conf

Be sure to chmod the conf file to 600 once you have downloaded it and change the following line:

Code:

TESTING = "1"

to

Code:

TESTING = "0"

Finally, turn the firewall on:

Code:

/usr/sbin/csf -s

------
At this point you are done. Your firewall is configured, your logins are being monitored, and you have basic DDoS protection. Read on if you are ready for more advanced configurations.
-----

In my generic the root user will receive email alerts, the Spamhaus filter is turned ON, connection monitoring will drop anyone that attempts to open 200 or more connections per second, and any user that uses the wrong password 20 times in a row is banned permanently.

I highly recommend you modify this file to suit your needs. I will provide a little guidance in this post, but it is your responsibility to learn what each feature does and decide whether to use it.

Key features that you may want to change:

Set the firewall to autoupdate. I recommend you do NOT do this, but the feature does exist:

Code:

AUTO_UPDATES = "1"

Raise the limit on the number of IP addresses you keep permanently banned. Replace 100 with the number of your choice. Remember, iptables will create 4 rules per IP address so this may slow down your server if you set it too high. If you set this value to 0 there will be no limit. I recommend you do NOT set the value to 0 as your list of blocked IP addresses will grow indefinitely and slow your server to a halt.

Code:

DENY_IP_LIMIT = "100"

Raise the limit on the number of IP addresses you keep temporarily banned. Replace 100 with your new limit. Again, it is highly recommended that you do not set it to 0.

Code:

DENY_TEMP_IP_LIMIT = "100"

Temporarily ban offenders rather than permanently banning them. This is a recommended change. Change 1 to a value in seconds. I recommend 3600, or an hour ban.

Code:

LF_TRIGGER_PERM = "3600"

Configure the system integrity monitor to check more or less often. I've set it to check once every hour in my generic file. Change the value in seconds. I would not make it less than 3600 seconds or you'll create a high I/O load on the server.

Code:

LF_INTEGRITY = "3600"

Turn DShield, Spamhaus, or Bognos IP blocking on or off. I keep Spamhaus on as they run a tight ship and only block IP addresses that are known spammers beyond any doubt. I have no experience with DShield or Bogon. Set the value to 0 to disable, 1 to enable.

Code:

LF_DSHIELD = "0"
LF_SPAMHAUS = "1"
LF_BOGON = "0"

Change the connection tracking limit. Connection tracking checks how many connections a visitor is opening to your server. It's effective in blocking small attacks. I've set my file to block any IP using more than 200 connections per second. You may make the value higher or lower, but if you set it too low it will block legitimate visitors, and if you set it too high it won't catch small DOS attacks.

Code:

CT_LIMIT = "200"

Warn you if your server load goes over X. I've set it to 6 in my file.

Code:

PT_LOAD_LEVEL = "6"

Features that are known to work with DirectAdmin:

SPI iptables firewall

Daemon process that checks for login authentication failures for:
ssh
password protected web pages (htpasswd)
mod_security failures
suhosin failures

SSH login notification
SU login notification

Some DDoS protection:
Excessive connection blocking

A built in integrity checker:

Suspicious process reporting - reports potential exploits running on the server
Excessive user processes reporting
Excessive user process usage reporting and optional termination
Suspicious file reporting - reports potential exploit files in /tmp and similar directories
Alert sent if server load average remains high for a specified length of time
Directory and file watching - reports if a watched directory or a file changes
Block traffic on the DShield Block List and the Spamhaus DROP List
BOGON packet protection

IDS (Intrusion Detection System) - the last line of detection alerts you to changes to system and application binaries
SYN Flood protection
Ping of death protection
Port Scan tracking and blocking
Permanent and Temporary (with TTL) IP blocking
Exploit checks
Account modification tracking

[Pate]

Thanks for the guide. I used CSF over APF thanks to your tip about it on this new server I set up.

[irwhost]

How send alert email ?
ex: ban ip

[littleoak]

irwhost,

By default all alerts are sent to root.

[irwhost]

but i don't receive any email
i have send my email ( @gmail.com)
how edit default configure ?

[daveyw]

Quote:

Originally Posted by irwhost

but i don't receive any email
i have send my email ( @gmail.com)
how edit default configure ?

Code:

- Login as root
- cd /etc/csf 
- type "for file in *.txt ; do nano $file -w ; done" in the shell

Then you must edit all files (.txt) and change the email address.

Safe and restart csf/lfd

[codeman05]

LFD is showing MySQL with a lot of suspicious process running / excessive resource hits. Received about 400 notifications last night. Is this normal? Nothing looks out of the ordinary.

[littleoak]

No, this is not normal. It means that your configuration file is probably set to a very low threshhold. Did you use the DA conf file I created?

Code:

/usr/sbin/csf -f
rm -fv etc/csf/csf.conf
wget -q -O /etc/csf/csf.conf http://www.oakdns.net/downloads/csf.conf
chmod 0600 /etc/csf/csf.conf
/usr/sbin/csf -r

[codeman05]

yep sure did, actually doubled it to 120. How much higher can I go without risking it being to "dumbed down"

[codeman05]

for example:

Code:

Time:         Sat Oct 11 11:19:56 2008 -0400
Account:      mysql
Resource:     Process Time
Exceeded:     2665935 > 1800 (seconds)
Executable:   /usr/local/mysql-standard-4.1.10-pc-linux-gnu-i686/bin/mysqld
Command Line: /usr/local/mysql/bin/mysqld --defaults-extra-file=/usr/local/mysql/data/my.cnf --basedir=/usr/local/mysql --datadir=/usr/local/mysql/data --user=mysql --pid-file=/usr/local/mysql/data/shodan.pid --skip-locking --port=3306 --socket=/tmp/mysql.sock
PID:          28787
Killed:       No

OR

Code:

Time:    Sat Oct 11 11:19:56 2008 -0400
PID:     13324
Account: nobody
Uptime:  51308 seconds


Executable:

/usr/local/directadmin/directadmin


Command Line (often faked in exploits):

/usr/local/directadmin/directadmin d


Network connections by the process (if any):

tcp: 0.0.0.0:2222 -> 0.0.0.0:0


Files open by the process (if any):



Memory maps by the process (if any):

08048000-082f1000 r-xp 00000000 08:07 1058751    /usr/local/directadmin/directadmin
082f1000-08413000 rw-p 002a9000 08:07 1058751    /usr/local/directadmin/directadmin
08413000-08465000 rw-p 08413000 00:00 0          [heap]
b7cf3000-b7cfd000 r-xp 00000000 08:01 114033     /lib/i686/cmov/libnss_files-2.7.so
b7cfd000-b7cff000 rw-p 00009000 08:01 114033     /lib/i686/cmov/libnss_files-2.7.so
b7cff000-b7d08000 r-xp 00000000 08:01 114035     /lib/i686/cmov/libnss_nis-2.7.so
b7d08000-b7d0a000 rw-p 00008000 08:01 114035     /lib/i686/cmov/libnss_nis-2.7.so
b7d0a000-b7e0a000 rw-p b7d0a000 00:00 0 
b7e0a000-b7e28000 r-xp 00000000 08:01 114021     /lib/i686/cmov/ld-2.7.so
b7e28000-b7e2a000 rw-p 0001d000 08:01 114021     /lib/i686/cmov/ld-2.7.so
b7e2a000-b7f7f000 r-xp 00000000 08:01 114024     /lib/i686/cmov/libc-2.7.so
b7f7f000-b7f82000 rw-p 00155000 08:01 114024     /lib/i686/cmov/libc-2.7.so
b7f82000-b7f85000 rw-p b7f82000 00:00 0 
b7f85000-b7f9a000 r-xp 00000000 08:01 114030     /lib/i686/cmov/libnsl-2.7.so
b7f9a000-b7f9c000 rw-p 00014000 08:01 114030     /lib/i686/cmov/libnsl-2.7.so
b7f9c000-b7f9e000 rw-p b7f9c000 00:00 0 
b7f9e000-b7fa5000 r-xp 00000000 08:01 114031     /lib/i686/cmov/libnss_compat-2.7.so
b7fa5000-b7fa7000 rw-p 00006000 08:01 114031     /lib/i686/cmov/libnss_compat-2.7.so
b7fad000-b7fae000 r-xp b7fad000 00:00 0          [vdso]
bf86a000-bf87f000 rw-p bf86a000 00:00 0          [stack]

I just reloaded your conf again to be safe, so we'll see if that helps any
Edit:
Nope, still seem to get about 50 emails an hour on mysql

[daveyw]

Do the following steps

Quote:

- nano /etc/csf/csf.pignore -w
- add: exe:/usr/local/mysql-standard-4.1.10-pc-linux-gnu-i686/bin/mysqld
- save and close csf.pignore
- /etc/init.d/csf restart && /etc/init.d/lfd restart

My default csf.pignore with DirectAdmin controlpanel can be found here

[codeman05]

nice I'll give that shot, thanks for the help.
edit
That looks to be working fine, thanks again

[PRB]

I want to install this on my server, however I already have a big number of users. Is it safe to install this without my users getting wiped or any other danger?

[littleoak]

Reshad,

It should be safe.

In short:

Code:

wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
rm -fv etc/csf/csf.conf
wget -q -O /etc/csf/csf.conf http://www.oakdns.net/downloads/csf.conf
chmod 0600 /etc/csf/csf.conf

This will install CSF and configure it for DirectAdmin.

[PRB]

Quote:

Originally Posted by littleoak

Reshad,

It should be safe.

In short:

Code:

wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
rm -fv etc/csf/csf.conf
wget -q -O /etc/csf/csf.conf http://www.oakdns.net/downloads/csf.conf
chmod 0600 /etc/csf/csf.conf

This will install CSF and configure it for DirectAdmin.

Ok, do I have to start in the very root folder? Or doesn't it matter where I use these command lines?

[littleoak]

It does not matter where you run these commands. I would not do it in the root folder - why not create a new folder just for this type of download?

[PRB]

Alright, I'll do that. Thank you!

[jlasman]

The standard place to install something like this is in /usr/local/sbin. Some good information may be found here.

Jeff

[rsbenedict]

I'm a real newbie. I just installed per your recommendations and made your recommended changes, however once I turn it on, it blocks all http access. What did I do wrong. Right now, I turned it off so I have access and my sites are accessible. I've installed it on a VPS with DA.

Thanks!

Scott

[littleoak]

Scott,

Please contact me so I can have a look at your server. Otherwise it is pretty hard to troubleshoot.