Switch from UFW and fail2ban to CSF

Having played with CSF for a while on one server, I've decided I like it more than UFW and fail2ban. It seems much better at blocking mail bruteforce attacks and SSH as a distributed attack. So anyway, here's a list of steps to achieve that, as much for my record as anything. The server is running Ubuntu 16.04, but these general steps should work anywhere. In addition the server I did it on is also running VestaCP, so there are a couple more steps for that.

  1. Download and install CSF
    cd code
    wget https://download.configserver.com/csf.tgz
    tar -xzf csf.tgz
    cd csf
    install.sh
  2. Edit Open ports in /etc/csf/csf.conf to reflect  your environment. csf install will automatically detect ssh running on non-standard ports and add those. It will also tell you during install which ports are listening. Review:
    TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995"
    TCP_IN = "22,25,80,110,143,443,465"
    Also TCPV6_OUT and TCPV6_IN.
  3. Set the following values
    TESTING = "1"
    RESTRICT_SYSLOG = "3"
    RESTRICT_SYSLOG_GROUP = "sysloggers"
    LF_ALERT_TO = "[email protected]"
    LF_ALERT_FROM = "[email protected]"
    LF_DISTATTACK = "1"
    PT_USERTIME = "1"
  4. Review log settings from HTACCESS_LOG onwards. Specifically on Ubuntu, you need to set
    SSHD_LOG = "/var/log/auth.log"
    SU_LOG = "/var/log/auth.log"
    FTPD_LOG = "/var/log/syslog"
    SMTPAUTH_LOG = "/var/log/secure"
    POP3D_LOG = "/var/log/mail.log"
    IMAPD_LOG = "/var/log/mail.log"
    IPTABLES_LOG = "/var/log/syslog"
    SUHOSIN_LOG = "/var/log/syslog"
    BIND_LOG = "/var/log/syslog"
    SYSLOG_LOG = "/var/log/syslog"
    WEBMIN_LOG = "/var/log/auth.log"
  5. You can now start csf. It will replace all the UFW rules with its own.
    ufw disable
    systemctl disable ufw
    systemctl disable fail2ban
    csf -ra
  6. Archive off fail2ban and remove logrotate config
    tar -cvf /etc/fail2ban.tar /etc/fail2ban/
    apt remove fail2ban ufw
    rm /etc/logrotate.d/fail2ban
  7. Extra steps for VestaCP
    In /usr/local/vesta/conf/vesta.conf file.
    FIREWALL_SYSTEM="
    FIREWALL_EXTENSION="
    Install the vesta UI and v-csf script from https://github.com/haipham/csf-vestacp/blob/master/install.sh
    (prefer to do this manually)
  8. Final hacking. Over the next few days you'll need to pay attention to other files in /etc/csf/
    csf.ignore
    csf.pignore
    csf.blocklists
    csf.allow
    csf.deny
  9. Extra aggressive settings for those email bruteforcers.
    LF_POP3D = 5
    LF_POP3D_PERM = 86400
    LF_IMAPD = 5
    LF_POP3D_PERM = 86400
  10. Adjust Logwatch as necessary.