Shulou(Shulou.com)06/01 Report--

This article mainly introduces "how to set up a firewall for the server of the Linux system". In the daily operation, I believe that many people have doubts about how to set up a firewall for the server of the Linux system. The editor consulted all kinds of materials and sorted out a simple and easy-to-use method of operation. I hope it will be helpful to answer the doubt of "how to set a firewall for the server of the Linux system". Next, please follow the editor to study!

Firewalls help filter entry and exit ports and prevent login attempts using brute force. I prefer to use CSF (Config Server Firewall) as a powerful firewall. It uses iptables, is easy to manage, and provides a web interface for users who are not good at entering commands.

To install CSF, log in to the server and change to this directory:

The code is as follows:

Cd / usr/local/src/

Then execute the following command with root privileges:

The code is as follows:

Wget https://download.configserver.com/csf.tgz

Tar-xzf csf.tgz

Cd csf

Sh install.sh

Just wait for the installer to complete, and then edit the configuration file for CSF:

The code is as follows:

/ etc/csf/csf.conf

By default, CSF runs in test mode. Switch to product mode by setting the value of TESTING to 0.

The code is as follows:

TESTING = "0"

The next thing to set is the port that is allowed on the server. Navigate to the following section in csf.conf and modify the port as needed:

The code is as follows:

# TCP ports allowed inbound

TCP_IN = "20, 21, 25, 53, 80, 110, 143, 463, 465, 587, 993, 995, 16543"

# allowed outbound TCP port

TCP_OUT = "20, 21, 22, 25, 53, 80, 110, 113, 443, 587, 993, 995, 16543"

# UDP ports allowed inbound

UDP_IN = "20, 21, 53"

# allowed outbound UDP port

# to allow traceroute requests, add the port range of 33434 to 33523 to the list

UDP_OUT = "20pr 21pr 53113123"

Please set them one by one according to your needs. It is recommended to use only those ports that are needed, so as to avoid setting a wide range of ports. In addition, avoid using insecure ports for insecure services. For example, only ports 465 and 587 are allowed to send e-mail, replacing the default SMTP port 25. (LCTT translation note: only if your mail server supports SMTPS)

Important: don't forget to allow custom ssh ports.

It is important to allow your IP address to pass through the firewall without being blocked. The IP address is defined in the following file:

The code is as follows:

/ etc/csf/csf.ignore

The blocked IP address will appear in this file:

The code is as follows:

/ etc/csf/csf.deny

Once the changes are complete, restart csf using this command:

The code is as follows:

Sudo / etc/init.d/csf restart

The following is part of the csf.deny file on a server to illustrate the usefulness of CSF:

The code is as follows:

211.216.48.205 # lfd: (sshd) Failed SSH login from 211.216.48.205 (KR/Korea, Republic of/-): 5 in the last 3600 secs-Fri Mar 600: 30:35 2015

103.41.124.53 # lfd: (sshd) Failed SSH login from 103.41.124.53 (HK/Hong Kong/-): 5 in the last 3600 secs-Fri Mar 6 01:06:46 2015

103.41.124.42 # lfd: (sshd) Failed SSH login from 103.41.124.42 (HK/Hong Kong/-): 5 in the last 3600 secs-Fri Mar 6 01:59:04 2015

103.41.124.26 # lfd: (sshd) Failed SSH login from 103.41.124.26 (HK/Hong Kong/-): 5 in the last 3600 secs-Fri Mar 6 02:48:26 2015

109.169.74.58 # lfd: (sshd) Failed SSH login from 109.169.74.58 (GB/United Kingdom/mail2.algeos.com): 5 in the last 3600 secs-Fri Mar 6 03:49:03 2015

You can see that IP addresses that try to log in through violence are blocked. It's out of sight and out of mind.

At this point, the study on "how to set up a firewall for the server of the Linux system" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.