CSF/LFD firewall installation guide for Plesk

Config Server Firewall (csf) and Login Failure Daemon (lfd) is a robust firewall solution having Stateful Packet Inspection (SPI), Login/Intrusion Detection and Security application for Linux servers. Although it is more compatible with CPanel we have been able to use the same for the Plesk hosting control panel also and it is running fine. Please visit the below link for more information.

http://www.configserver.com

I have listed the installation steps for CSF / LFD.Login to your server with ‘root’ user and issue below commands :

Change directory to either /root or /usr/local/src , which ever you normally use for such installations

# cd /usr/local/src

[Remove any old source that might be present]

Download and untar the source for installation

# wget http://www.configserver.com/free/csf.tgz
# tar -xzf csf.tgz

Run installation script

# cd csf
# sh install.sh

Once the installation complete, you can run the below scripts provided by vendor to check if your server/vps has required iptables modules available :

# perl /etc/csf/csftest.pl

CSF provides the script to remove the other popular combination I talked about above i.e. apf/bfd, The below script will remove apf/bfd from your server/vps.

# sh /etc/csf/remove_apf_bfd.sh

Common setting for incoming/outgoing TCP/IP and UDP connection.

ETH_DEVICE = “eth1″

ETH_DEVICE_SKIP = “eth0″

# Allow incoming TCP ports
TCP_IN = “20,21,25,53,80,106,110,111,143,443,465,587,865,873,993,995,8443,8880″

# Allow outgoing TCP ports
TCP_OUT = “20,21,22,25,80,110,443,43,873,8443″

# Allow incoming UDP ports
UDP_IN = “53,111,123,230,631,859,862,2109,5353″

# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = “20,21,53,113,123,2109″

# Allow incoming PING
ICMP_IN = “1″

# Set the per IP address incoming ICMP packet rate
# To disable rate limiting set to “0″
ICMP_IN_RATE = “0″

# Allow outgoing PING
ICMP_OUT = “1″

# Set the per IP address outgoing ICMP packet rate
# To disable rate limiting set to “0″
ICMP_OUT_RATE = “0″

# Enable login failure detection daemon (lfd).
LF_DAEMON = “1″

For allowing Qmail in CSF alter below setting(s)

SMTP_BLOCK = “1″
SMTP_ALLOWLOCAL = “1″
SMTP_PORTS = “25,587″
SMTP_ALLOWUSER = “qmaild,qmaill,qmailp,qmailq,qmailr,qmails”
SMTP_ALLOWGROUP = “qmail,nofiles,mail,mailman”

Set CSF/LFD reporting FROM/TO ID as below [**** Need to set for Plesk]

LF_ALERT_TO = “supportteam@diadem.co.in”
LF_ALERT_FROM = “csf_LFD@diadem.co.in”

Allowing third party block list checking

# Enable IP range blocking using the DShield Block List at
LF_DSHIELD = “86400″

# Enable IP range blocking using the Spamhaus DROP List at
LF_SPAMHAUS = “86400″

# Enable IP range blocking using the BOGON List at
LF_BOGON = “86400″

Now Add the LFD ignore list for qmail/plesk mail user/process in csf.pignore file.

# vim /etc/csf/csf.pignore

#### Custom for Plesk ####
user:admin
exe:/var/qmail/bin/qmail-smtpd
exe:/usr/bin/imapd
exe:/var/qmail/bin/qmail-queue
exe:/usr/bin/pop3d
exe:/var/qmail/bin/qmail-send
cmd:qmail-send
cmd:/usr/bin/pop3d Maildir
cmd:/var/qmail/bin/qmail-queue
cmd:/var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true
cmd:/usr/bin/imapd Maildir
exe:/var/qmail/bin/qmail-rspawn
cmd:qmail-rspawn
exe:/var/qmail/bin/qmail-clean
cmd:qmail-clean
exe:/usr/sbin/clamd
cmd:clamd
exe:/var/qmail/bin/splogger
cmd:splogger qmail
exe:/var/qmail/bin/qmail-remote.moved
user:qmaill
user:popuser
user:qmaild
user:qmails
user:qmailr
user:qmailq
user:qscand
exe:/usr/sbin/avahi-daemon
user:avahi
exe:/usr/local/sbin/zabbix_agentd
cmd:/usr/local/sbin/zabbix_agentd
user:zabbix
exe:/usr/bin/sw-engine-cgi
cmd:/usr/bin/sw-engine-cgi
user:sso
exe:/usr/sbin/sw-cp-serverd
cmd:/usr/sbin/sw-cp-serverd -f /etc/sw-cp-server/config
user:sw-cp-server
exe:/usr/bin/sw-engine-cgi
cmd:/usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini -d auto_prepend_file=auth.php3 -u psaadm
user:psaadm
exe:/usr/libexec/mysqld
cmd:/usr/libexec/mysqld –basedir=/usr –datadir=/var/lib/mysql –user=mysql –pid-file=/var/run/mysqld/mysqld.pid –skip-external-locking –socket=/var/lib/mysql/mysql.sock
user:mysql
exe:/usr/libexec/hald-addon-acpi
exe:/usr/sbin/hald
cmd:hald
user:haldaemon
exe:/usr/bin/postgres
user:postgres
exe:/sbin/portmap
cmd:portmap
user:rpc
exe:/usr/bin/xfs
cmd:xfs -droppriv -daemon
user:xfs
exe:/usr/bin/python
cmd:/usr/bin/python /usr/lib/mailman/bin/qrunner –runner=VirginRunner:0:1 -s
user:mailman
exe:/usr/java/jdk1.6.0_20/bin/java
user:tomcat

Note: You may need to add few more process/user as per your requirement.

Now start the CSF

# csf -s

Restart LFD

# service lfd restart

Installation is done, now check the website, mail  and other services(s) and disable TESTING mode and restart CSF/LFD

# csf -r
# service lfd restart

I will list below some of very common commands you will need to use/manage csf firewall :

Enabling the firewall

# csf –enable OR
# csf -e

Disabling the firewall

# csf –disable
# csf -x

Starting firewall / applying rules

# csf –start
# csf -s

Stopping firewall / flushing rules

# csf –stop
# csf -f

Adding an IP in firewall

# csf -d 2.3.4.5 “Reason for blocking the IP”
# csf –deny 2.3.4.5 “Reason for blocking the IP”
where 2.3.4.5 is the IP you want to block.

Removing IP from deny list

# csf -dr 2.3.4.5

Leave a comment