现在的位置: 首页secure>正文
csf防火墙的安装配置
2012年07月11日 secure 暂无评论 ⁄ 被围观 3,518 view+

csf防火墙简介

1、 防止暴力破解密码,自动屏蔽连续登陆失败的IP

2 、管理网络端口,只开放必要的端口

3 、免疫小流量的 DDos 和 CC 攻击。

csf防火墙提供了基于web GUI的管理方式,并且提供 cPanel 插件,而且还可以基于CLI来管理。

csf的安装:

一、安装依赖包:

yum install perl-libwww-perl perl iptables

二、下载并安装 CSF:

wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

三、测试 CSF 是否能正常工作:

[root@localhost csf]# perl /etc/csf/csftest.pl
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK
RESULT: csf should function on this server

csf的配置:

CSF的配置文件是 /etc/csf/csf.conf

# Allow incoming TCP ports
# 推荐您更改 SSH 的默认端口(22)为其他端口,但请注意一定要把新的端口加到下一行中
TCP_IN = “20,21,47,81,1723,25,53,80,110,143,443,465,587,993,995″
# Allow outgoing TCP ports同上,把 SSH 的登录端口加到下一行。
# 在某些程序要求打开一定范围的端口的情况下,例如Pureftpd的passive mode,可使用类似 30000:35000 的方式打开30000-35000范围的端口。
TCP_OUT = “20,21,47,81,1723,25,53,80,110,113,443″
# Allow incoming UDP ports
UDP_IN = “20,21,53″
# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = “20,21,53,113,123″
# Allow incoming PING 是否允许别人ping你的服务器,默认为1,允许。0为不允许。
ICMP_IN = “1″

以上这些配置大家一看就懂了,下面再介绍几个比较常用的:

免疫某些类型的小规模 DDos 攻击:

# Connection Tracking. This option enables tracking of all connections from IP
# addresses to the server. If the total number of connections is greater than
# this value then the offending IP address is blocked. This can be used to help
# prevent some types of DOS attack.
#
# Care should be taken with this option. It’s entirely possible that you will
# see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD
# and HTTP so it could be quite easy to trigger, especially with a lot of
# closed connections in TIME_WAIT. However, for a server that is prone to DOS
# attacks this may be very useful. A reasonable setting for this option might
# be arround 200.
#
# To disable this feature, set this to 0
CT_LIMIT = "200"##固定时间内同一个IP请求的此数
# Connection Tracking interval. Set this to the the number of seconds between
# connection tracking scans
CT_INTERVAL = "30" ##指上面的固定时间,单位为秒
# Send an email alert if an IP address is blocked due to connection tracking
CT_EMAIL_ALERT = "1" ##是否发送邮件
# If you want to make IP blocks permanent then set this to 1, otherwise blocks
# will be temporary and will be cleared after CT_BLOCK_TIME seconds
# 是否对可疑IP采取永久屏蔽,默认为0,即临时性屏蔽。
CT_PERMANENT = "0"
# If you opt for temporary IP blocks for CT, then the following is the interval
# in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)
# 临时性屏蔽时间
CT_BLOCK_TIME = "1800"
# If you don’t want to count the TIME_WAIT state against the connection count
# then set the following to “1″
CT_SKIP_TIME_WAIT = "0" ##是否统计TIME_WAIT链接状态
# If you only want to count specific states (e.g. SYN_RECV) then add the states
# to the following as a comma separated list. E.g. “SYN_RECV,TIME_WAIT”
# Leave this option empty to count all states against CT_LIMIT
CT_STATES = "" ##是否分国家来统计,填写的是国家名
# If you only want to count specific ports (e.g. 80,443) then add the ports
# to the following as a comma separated list. E.g. “80,443″
#
# Leave this option empty to count all ports against CT_LIMIT
# 对什么端口进行检测,为空则检测所有,防止ssh的话可以为空,统计所有的。
CT_PORTS = ""

做了以上设置之后,可以先测试一下。如果没有问题的话,就更改为正式模式,刚才只是测试模式。

# 把默认的1修改为0。
TESTING = "0"

在/etc/csf/下面还有2个文件

csf.allow和csf.deny

这里面保存的就是允许的IP和禁止的IP,可以手动编辑这两个文件,比如想禁止某人来访问本站,就把他的IP加入到csf.deny列表里面去,或者是为了防止误封。可以把自己的IP加入到csf.allow列表里面去。加入之后记得重启一下csf防火墙。

/etc/init.d/csf restart或者csf -r 都可以重启。

来源:http://www.linuxyan.com/linux-service/218.html

给我留言

留言无头像?


×
腾讯微博