Having played with CSF for a while on one server, I’ve decided I like it more than UFW and fail2ban. It seems much better at blocking mail bruteforce attacks and SSH as a distributed attack. So anyway, here’s a list of steps to achieve that, as much for my record as anything. The server is running Ubuntu 16.04, but these general steps should work anywhere. In addition the server I did it on is also running VestaCP, so there are a couple more steps for that.
- Download and install CSF
wget https://download.configserver.com/csf.tgz wget
tar -xzf csf.tgz
cd csf sh
- Edit Open ports in /etc/csf/csf.conf to reflect your environment. csf install will automatically detect ssh running on non-standard ports and add those. It will also tell you during install which ports are listening. Review:
TCP_OUT = “20,21,22,25,53,80,110,113,443,587,993,995”
TCP_IN = “22,25,80,110,143,443,465”
Also TCPV6_OUT and TCPV6_IN.
- Set the following values
TESTING = “1”
RESTRICT_SYSLOG = “3”
RESTRICT_SYSLOG_GROUP = “sysloggers”
LF_ALERT_TO = “firstname.lastname@example.org”
LF_ALERT_FROM = “email@example.com”
LF_DISTATTACK = “1”
PT_USERTIME = “1”
- Review log settings from HTACCESS_LOG onwards. Specifically on Ubuntu, you need to set
SSHD_LOG = “/var/log/auth.log”
SU_LOG = “/var/log/auth.log”
FTPD_LOG = “/var/log/syslog”
SMTPAUTH_LOG = “/var/log/secure”
POP3D_LOG = “/var/log/mail.log”
IMAPD_LOG = “/var/log/mail.log”
IPTABLES_LOG = “/var/log/syslog”
SUHOSIN_LOG = “/var/log/syslog”
BIND_LOG = “/var/log/syslog”
SYSLOG_LOG = “/var/log/syslog”
WEBMIN_LOG = “/var/log/auth.log”
- You can now start csf. It will replace all the UFW rules with its own.
systemctl disable ufw
systemctl disable fail2ban
- Archive off fail2ban and remove logrotate config
tar -cvf /etc/fail2ban.tar /etc/fail2ban/
apt remove fail2ban ufw
- Extra steps for VestaCP
In /usr/local/vesta/conf/vesta.conf file.
Install the vesta UI and v-csf script from https://github.com/haipham/csf-vestacp/blob/master/install.sh
(prefer to do this manually)
- Final hacking. Over the next few days you’ll need to pay attention to other files in /etc/csf/
- Extra aggressive settings for those email bruteforcers.
LF_POP3D = 5
LF_POP3D_PERM = 86400
LF_IMAPD = 5
LF_POP3D_PERM = 86400
- Adjust Logwatch as necessary.