{"id":416,"date":"2017-11-10T16:21:21","date_gmt":"2017-11-10T08:21:21","guid":{"rendered":"https:\/\/play.datalude.com\/blog\/?p=416"},"modified":"2023-08-15T09:00:10","modified_gmt":"2023-08-15T01:00:10","slug":"switch-from-ufw-and-fail2ban-to-csf","status":"publish","type":"post","link":"https:\/\/play.datalude.com\/blog\/2017\/11\/switch-from-ufw-and-fail2ban-to-csf\/","title":{"rendered":"Switch from UFW and fail2ban to CSF"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Having played with CSF for a while on one server, I've decided I like it more than UFW and fail2ban. It seems much better at blocking mail bruteforce attacks and SSH as a distributed attack. So anyway, here's a list of steps to achieve that, as much for my record as anything. The server is running Ubuntu 16.04, but these general steps should work anywhere. In addition the server I did it on is also running VestaCP, so there are a couple more steps for that.<\/p>\n\n\n\n<!--more-->\n\n\n\n<ol class=\"wp-block-list\"><li><strong>Download and install CSF<\/strong><br> cd code<br> wget https:\/\/download.configserver.com\/csf.tgz<br> tar -xzf csf.tgz<br> cd csf<br> install.sh<\/li><li><strong>Edit Open ports<\/strong> in \/etc\/csf\/csf.conf to reflect\u00a0 your environment. csf install will automatically detect ssh running on non-standard ports and add those. It will also tell you during install which ports are listening. Review:<br> TCP_OUT = \"20,21,22,25,53,80,110,113,443,587,993,995\"<br> TCP_IN = \"22,25,80,110,143,443,465\"<br> Also TCPV6_OUT and TCPV6_IN.<\/li><li><strong>Set the following values<\/strong><br> TESTING = \"1\"<br> RESTRICT_SYSLOG = \"3\"<br> RESTRICT_SYSLOG_GROUP = \"sysloggers\"<br> LF_ALERT_TO = \"x@domain.com\"<br> LF_ALERT_FROM = \"csf@domain.com\"<br> LF_DISTATTACK = \"1\"<br> PT_USERTIME = \"1\"<\/li><li><strong>Review log settings<\/strong> from\u00a0HTACCESS_LOG onwards. Specifically on Ubuntu, you need to set<br> SSHD_LOG = \"\/var\/log\/auth.log\"<br> SU_LOG = \"\/var\/log\/auth.log\"<br> FTPD_LOG = \"\/var\/log\/syslog\"<br> SMTPAUTH_LOG = \"\/var\/log\/secure\"<br> POP3D_LOG = \"\/var\/log\/mail.log\"<br> IMAPD_LOG = \"\/var\/log\/mail.log\"<br> IPTABLES_LOG = \"\/var\/log\/syslog\"<br> SUHOSIN_LOG = \"\/var\/log\/syslog\"<br> BIND_LOG = \"\/var\/log\/syslog\"<br> SYSLOG_LOG = \"\/var\/log\/syslog\"<br> WEBMIN_LOG = \"\/var\/log\/auth.log\"<\/li><li>You can now<strong> start csf.<\/strong> It will replace all the UFW rules with its own.<br> ufw disable<br> systemctl disable ufw<br> systemctl disable fail2ban<br> csf -ra<\/li><li><strong>Archive off fail2ban and remove logrotate config<\/strong><br> tar -cvf \/etc\/fail2ban.tar \/etc\/fail2ban\/<br> apt remove fail2ban ufw<br> rm \/etc\/logrotate.d\/fail2ban<\/li><li><strong>Extra steps for VestaCP<\/strong><br> In \/usr\/local\/vesta\/conf\/vesta.conf file.<br> FIREWALL_SYSTEM=\"<br> FIREWALL_EXTENSION=\"<br> Install the vesta UI and v-csf script from\u00a0https:\/\/github.com\/haipham\/csf-vestacp\/blob\/master\/install.sh<br> (prefer to do this manually)<\/li><li><strong>Final hacking.<\/strong> Over the next few days you'll need to pay attention to other files in \/etc\/csf\/<br> csf.ignore<br> csf.pignore<br> csf.blocklists<br> csf.allow<br> csf.deny<\/li><li><strong>Extra aggressive settings for those email bruteforcers.<\/strong><br> LF_POP3D = 5<br> LF_POP3D_PERM = 86400<br> LF_IMAPD = 5<br> LF_POP3D_PERM = 86400<\/li><li>Adjust Logwatch as necessary.<\/li><\/ol>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Having played with CSF for a while on one server, I've decided I like it more than UFW and fail2ban. It seems much better at blocking mail bruteforce attacks and SSH as a distributed attack. So anyway, here's a list of steps to achieve that, as much for my record as anything. The server is &#8230; <a title=\"Switch from UFW and fail2ban to CSF\" class=\"read-more\" href=\"https:\/\/play.datalude.com\/blog\/2017\/11\/switch-from-ufw-and-fail2ban-to-csf\/\" aria-label=\"Read more about Switch from UFW and fail2ban to CSF\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_crdt_document":"","footnotes":""},"categories":[4,5],"tags":[],"class_list":["post-416","post","type-post","status-publish","format-standard","hentry","category-linux","category-security"],"_links":{"self":[{"href":"https:\/\/play.datalude.com\/blog\/wp-json\/wp\/v2\/posts\/416","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/play.datalude.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/play.datalude.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/play.datalude.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/play.datalude.com\/blog\/wp-json\/wp\/v2\/comments?post=416"}],"version-history":[{"count":0,"href":"https:\/\/play.datalude.com\/blog\/wp-json\/wp\/v2\/posts\/416\/revisions"}],"wp:attachment":[{"href":"https:\/\/play.datalude.com\/blog\/wp-json\/wp\/v2\/media?parent=416"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/play.datalude.com\/blog\/wp-json\/wp\/v2\/categories?post=416"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/play.datalude.com\/blog\/wp-json\/wp\/v2\/tags?post=416"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}