Config Server Firewall (atau CSF) adalah firewall gratis dan canggih untuk sebagian besar distro Linux dan VPS berbasis Linux. Selain fungsi dasar firewall – paket penyaringan – CSF mencakup fitur keamanan lainnya, seperti login/intrusion/flood detection. CSF termasuk UI integrasi untuk cPanel, DirectAdmin dan Webmin, tapi tutorial ini hanya mencakup penggunaan baris perintah. CSF mampu mengenali banyak serangan, seperti port scan, SYN banjir, dan login serangan brute force pada banyak layanan. Hal ini dikonfigurasi untuk memblokir klien yang terdeteksi harus menyerang server cloud untuk sementara.
Daftar lengkap sistem operasi yang didukung dan fitur dapat ditemukan di situs web ConfigServer itu.
Config Server Firewall web
Installing ConfigServer Firewall
Step 1: Downloading
Config Server Firewall is not currently available in Debian or Ubuntu repositories, and has to be downloaded from the ConfigServer’s website.
This will download CSF to your current working directory.
Step 2: Uncompressing
The downloaded file is a compressed from of tar package, and has to be uncompressed and extracted before it can be used.
tar -xzf csf.tgz
Step 3: Installing
If you are using another firewall configuration scripts, such as UFW, you should disable it before proceeding. Iptables rules are automatically removed.
UFW can be disabled by running the following command:
Now it is time to execute the CSF’s installer script.
The firewall is now installed, but you should check if the required iptables modules are available.
The firewall will work if no fatal errors are reported.
Note: Your IP address was added to the whitelist if possible. In addition, the SSH port has been opened automatically, even if it uses custom port. The firewall was also configured to have testing mode enabled, which means that the iptables rules will be automatically removed five minutes after starting CSF. This should be disabled once you know that your configuration works, and you will not be locked out.
CSF can be configured by editing its configuration file csf.conf in /etc/csf:
The changes can be applied with command:
Step 1: Configuring ports
The less access there is to your VPS, the more secure your server is. However, not all ports can be closed as the clients must be able to use your services.
The ports opened by default are the following:
TCP_IN = “20,21,22,25,53,80,110,143,443,465,587,993,995”
TCP_OUT = “20,21,22,25,53,80,110,113,443”
UDP_IN = “20,21,53”
UDP_OUT = “20,21,53,113,123”
Services using the open ports:
Port 20: FTP data transfer
Port 21: FTP control
Port 22: Secure shell (SSH)
Port 25: Simple mail transfer protocol (SMTP)
Port 53: Domain name system (DNS)
Port 80: Hypertext transfer protocol (HTTP)
Port 110: Post office protocol v3 (POP3)
Port 113: Authentication service/identification protocol
Port 123: Network time protocol (NTP)
Port 143: Internet message access protocol (IMAP)
Port 443: Hypertext transfer protocol over SSL/TLS (HTTPS)
Port 465: URL Rendesvous Directory for SSM (Cisco)
Port 587: E-mail message submission (SMTP)
Port 993: Internet message access protocol over SSL (IMAPS)
Port 995: Post office protocol 3 over TLS/SSL (POP3S)
It is possible that you are not using all of these services, so you can close the ports that are not used. I would recommend closing all ports (removing port number form the list), and then adding the ports you need.
Below are port sets that should be opened if you are running the listed service:
On any server:
MySQL server (if remote access is required)
Note: If you are using IPv6 for your services, you should also configure TCP6_IN, TCP6_OUT, UPD6_IN, and UPD6_OUT similarly to how IPv4 ports were configured earlier.