CSF - ConfigServer Services
To test CSF run the following command.
# /etc/csf/csftest.pl
Testing ip_tables/iptable_filter…OK
Testing ipt_LOG…OK
Testing ipt_multiport/xt_multiport…OK
Testing ipt_REJECT…OK
Testing ipt_state/xt_state…OK
Testing ipt_limit/xt_limit…OK
Testing ipt_recent…OK
Testing xt_connlimit…OK
Testing ipt_owner/xt_owner…OK
Testing iptable_nat/ipt_REDIRECT…OK
Testing iptable_nat/ipt_DNAT…OK
RESULT: csf should function on this server
csf LF_SCRIPT_ALERT option
This option will notify you when a large amount of email is sent from a particular script on the server, helping track down spam scripts.
Spam Protection Alerts
If you want to add some spam protection, CSF can help. Look in the configuraiton for the following:
LF_SCRIPT_ALERT = 0 change this to 1. This will send an email alert to the system administrator when the limit configured below is reached within an hour.
LF_SCRIPT_LIMIT = 100 change this to 250. This will alert you when any scripts sends out 250 email messages in an hour.
This setting will then send an alert email if more than LF_SCRIPT_LIMIT lines appear with the same cwd= path in them within an hour. This can be useful in identifying spamming scripts on a server, especially PHP scripts running under the nobody account. The email that is sent includes the exim log lines and also attempts to find scripts that send email in the path that may be the culprit.
The limit after which the email alert for email scripts is sent. Care should be taken with this value if you allow clients to use web scripts to maintain pseudo-mailing lists which have large recipients.
Reference: http://www.configserver.com
csf SMTP_BLOCK option
This option will help prevent the most common form of spam abuse on a server that bypasses exim and sends spam directly out through port 25. Enabling this option will prevent any web script from sending out using socket connection, such scripts should use the exim or sendmail binary instead
Block outgoing SMTP except for root, exim and mailman (forces scripts/users to use the exim/sendmail binary instead of sockets access).
This replaces the protection as WHM > Tweak Settings > SMTP Tweaks
This option uses the iptables ipt_owner module and must be loaded for it to work. It may not be available on some VPS platforms
Note: Run /etc/csf/csftest.pl to check whether this option will function on this server
If SMTP_BLOCK is enabled but you want to allow local connections to port 25 on the server (e.g. for webmail or web scripts) then enable this option to allow outgoing SMTP connections to the loopback device
How to check if csf will work on your server
One you have downloaded CSF firewall and installed it, you can run the below command to check the status and the results.
# /etc/csf/csftest.pl
Testing ip_tables/iptable_filter…OK
Testing ipt_LOG…OK
Testing ipt_multiport/xt_multiport…OK
Testing ipt_REJECT…OK
Testing ipt_state/xt_state…OK
Testing ipt_limit/xt_limit…OK
Testing ipt_recent…OK
Testing ipt_owner…OK
Testing iptable_nat/ipt_REDIRECT…OK
RESULT: csf should function on this server
CSF Advanced Allow/Deny Filters
In /etc/csf.allow and /etc/csf.deny you can add more complex port and ip filters using the following format (you must specify a port AND an IP address):
tcp/udp|in/out|s/d=port|s/d=ip|u=uid
Broken down:
tcp/udp : EITHER tcp OR udp OR icmp protocol
in/out : EITHER incoming OR outgoing connections
s/d=port : EITHER source OR destination port number (or ICMP type)
(use a _ for a port range, e.g. 2000_3000)
s/d=ip : EITHER source OR destination IP address
u/g=UID : EITHER UID or GID of source packet, implies outgoing connections, s/d=IP value is ignored
Note: ICMP filtering uses the “port” for s/d=port to set the ICMP type. Whether you use s or d is not relevant as either simply uses the iptables –icmp-type option. Use “iptables -p icmp -h” for a list of valid ICMP types. Only one type per filter is supported
Examples:
# TCP connections inbound to port 3306 from IP 11.22.33.44
tcp|in|d=3306|s=11.22.33.44
# TCP connections outbound to port 22 on IP 11.22.33.44
tcp|out|d=22|d=11.22.33.44
Reference: http://www.configserver.com/