Install CSF (ConfigServer Security & Firewall) di CentOS 8
Install CSF (ConfigServer Security & Firewall) di CentOS 8
Halo semua, Server perlu sebuah keamanan atau sebuah firewall. Nah kali ini kita akan membahas mengenai yang namanya CSF atau ConfigServer Security & Firewall. Untuk CSF ini seringkali di terapkan di web hosting, selain itu cocok juga untuk sebuah keamanan server dan website. Karena di CSF akan memblock sebuah serangan bertubi-tubi dan tidak memberikan akses kembali.
CSF (ConfigServer Security & Firewall) ini salah satu sistem keamanan yang baik dan sangat apik. Selain itu juga CSF sangat mudah di operasikan. CSF adalah firewall Statefull Packet Inspection (SPI) yang berbasis OpenSource, Selain itu CSF juga bisa di gunakan aplikasi keamanan Login / Intrusion Detection Security untuk server.
Feature CSF (ConfigServer Security & Firewall)
Dan untuk CSF itu sendiri mempunyai fitur. Dan kurang lebih feature dari CSF seperti ini :
- Daemon process untuk mengecheck kegagalan login SSH, IMAP, SMTP, POP3, FTP, htpassword, dan masih banyak lagi.
- Kemampuan memblock koneksi.
- Proteksi paket BOGON
- SYN Flood protection
- Directory and file watching
- IDS (Intrusion Detection System)
- DDOS Protection
- Ping of Death Protection
- Port scan tracking and blocking
- Port Flooding Detection
- IPv6 Support with ip6tables
- Integrated with the CloudFlare Firewall
Install CSF (ConfigServer Security & Firewall) di CentOS 8
Jika di dalam server tersebut tidak sedang menjalankan service yang sangat critical atau sedang tidak menjadi server produksi, teman-teman bisa upgrade package yang terinstall kemudian reboot server nya.
Pastikan masuk menggunakan user root
untuk root biasanya diberi simbol #
- Jika sudah masuk menggunakan akun
root
silahkan teman-teman upgrade dan install package depency nya. Lalu reboot.
<span class="hljs-attribute">yum</span> upgrade -y
install depency
yum <span class="hljs-keyword">install</span> perl-libwww-perl net-tools perl-LWP-Protocol-https -y
dan reboot
<span class="hljs-attribute">reboot</span>
- Jika sudah selesai upgrade package, install package
@perl
<span class="hljs-attribute">yum</span> install <span class="hljs-variable">@perl</span> -y
- Kemudian check versi perl nya
[root@venus ~]<span class="hljs-comment"># perl -v</span>
This <span class="hljs-keyword">is</span> perl <span class="hljs-number">5</span>, version <span class="hljs-number">26</span>, subversion <span class="hljs-number">3</span> (v5<span class="hljs-number">.26</span><span class="hljs-number">.3</span>) built <span class="hljs-keyword">for</span> x86_64-linux-thread-multi
(with <span class="hljs-number">51</span> registered patches, see perl -V <span class="hljs-keyword">for</span> more detail)
Copyright <span class="hljs-number">1987</span><span class="hljs-number">-2018</span>, Larry Wall
Perl may be copied only under the terms <span class="hljs-keyword">of</span> either the Artistic License <span class="hljs-keyword">or</span> the
GNU General Public License, which may be found <span class="hljs-keyword">in</span> the Perl <span class="hljs-number">5</span> source kit.
Complete documentation <span class="hljs-keyword">for</span> Perl, including FAQ lists, should be found <span class="hljs-literal">on</span>
<span class="hljs-keyword">this</span> system using <span class="hljs-string">"man perl"</span> <span class="hljs-keyword">or</span> <span class="hljs-string">"perldoc perl"</span>. If you have access to the
Internet, point your browser at http:<span class="hljs-regexp">//</span>www.perl.org/, the Perl Home Page.
- Setelah selesai instalasi package
perl
selanjutnya adalah mendownload file instalasi CSF.
<span class="hljs-attribute">curl</span> -SL https://download.configserver.com/csf.tgz | tar -xzf -
- Masuk ke directory yang barusaja di download. Yaitu directory
csf
<span class="hljs-built_in">cd</span> csf
- Jalankan installer. Untuk instalasi CSF ini akan berjalan secara otomatis menggunakan script tersebut.
<span class="hljs-selector-tag">sh</span> <span class="hljs-selector-tag">install</span><span class="hljs-selector-class">.sh</span>
- Jika sudah selesai akan muncul tulisan
Installation Completed
- Dan selanjutnya melakukan test instalasi, dengan menjalankan command
perl /usr/local/csf/bin/csftest.pl
- Dan akan muncul tampilan kurang lebih seperti ini :
[root@venus ~]# perl /usr/local/csf/bin/csftest.pl
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK
RESULT: csf should function on this server
Konfigurasi dan Start CSF di CentOS 8
Setelah menginstall CSF di server selanjutnya mengkonfigurasi. Untuk konfigurasi utama ada di /etc/csf/csf.conf
. Edit file tersebut untuk memodifikasi rule dari firewall. Untuk melihat TCP dan UDP port yang di ijinkan bisa di check dibawah ini.
Selanjutnya adalah mendisable mode testing, Untuk mendisablenya bisa menggunakan command berikut ini.
perl -<span class="hljs-built_in">pi</span> -w -e <span class="hljs-string">"s/TESTING = \"1\"/TESTING = \"0\"/"</span> /etc/csf/csf.conf
Selanjutnya mengabaikan IP yang sudah di allow sebelumnya saat testing.
perl -<span class="hljs-built_in">pi</span> -w -e <span class="hljs-string">"s/IGNORE_ALLOW = \"0\"/IGNORE_ALLOW = \"1\"/"</span> /etc/csf/csf.conf
Dan selanjutnya adalah membuat service CSF berjalan setiap booting.
systemctl <span class="hljs-built_in">enable</span> --now csf
Dan check apakah service sudah berjalan.
[root@venus ~]# systemctl status csf
● csf.service - <span class="hljs-symbol">ConfigServer</span> <span class="hljs-symbol">Firewall</span> & <span class="hljs-symbol">Security</span> - csf
<span class="hljs-symbol">Loaded</span>: loaded (/usr/lib/systemd/system/csf.service; enabled; vendor preset: disabled)
<span class="hljs-symbol">Active</span>: active (exited) since <span class="hljs-symbol">Fri</span> <span class="hljs-number">2020</span><span class="hljs-number">-02</span><span class="hljs-number">-14</span> <span class="hljs-number">15</span>:<span class="hljs-number">20</span>:<span class="hljs-number">42</span> <span class="hljs-symbol">UTC</span>; <span class="hljs-number">2</span>min <span class="hljs-number">25</span>s ago
<span class="hljs-symbol">Process</span>: <span class="hljs-number">6927</span> <span class="hljs-symbol">ExecStart</span>=/usr/sbin/csf --initup (code=exited, status=<span class="hljs-number">0</span>/<span class="hljs-symbol">SUCCESS</span>)
<span class="hljs-symbol">Main</span> <span class="hljs-symbol">PID</span>: <span class="hljs-number">6927</span> (code=exited, status=<span class="hljs-number">0</span>/<span class="hljs-symbol">SUCCESS</span>)
<span class="hljs-symbol">Feb</span> <span class="hljs-number">14</span> <span class="hljs-number">15</span>:<span class="hljs-number">20</span>:<span class="hljs-number">42</span> venus.masdzub.com csf[<span class="hljs-number">6927</span>]: <span class="hljs-symbol">ACCEPT</span> all opt in * out lo ::/<span class="hljs-number">0</span> -> ::/<span class="hljs-number">0</span>
<span class="hljs-symbol">Feb</span> <span class="hljs-number">14</span> <span class="hljs-number">15</span>:<span class="hljs-number">20</span>:<span class="hljs-number">42</span> venus.masdzub.com csf[<span class="hljs-number">6927</span>]: <span class="hljs-symbol">LOGDROPOUT</span> all opt in * out !lo ::/<span class="hljs-number">0</span> -> ::/<span class="hljs-number">0</span>
<span class="hljs-symbol">Feb</span> <span class="hljs-number">14</span> <span class="hljs-number">15</span>:<span class="hljs-number">20</span>:<span class="hljs-number">42</span> venus.masdzub.com csf[<span class="hljs-number">6927</span>]: <span class="hljs-symbol">LOGDROPIN</span> all opt in !lo out * ::/<span class="hljs-number">0</span> -> ::/<span class="hljs-number">0</span>
<span class="hljs-symbol">Feb</span> <span class="hljs-number">14</span> <span class="hljs-number">15</span>:<span class="hljs-number">20</span>:<span class="hljs-number">42</span> venus.masdzub.com csf[<span class="hljs-number">6927</span>]: csf: <span class="hljs-symbol">FASTSTART</span> loading <span class="hljs-symbol">DNS</span> (<span class="hljs-symbol">IPv4</span>)
<span class="hljs-symbol">Feb</span> <span class="hljs-number">14</span> <span class="hljs-number">15</span>:<span class="hljs-number">20</span>:<span class="hljs-number">42</span> venus.masdzub.com csf[<span class="hljs-number">6927</span>]: csf: <span class="hljs-symbol">FASTSTART</span> loading <span class="hljs-symbol">DNS</span> (<span class="hljs-symbol">IPv6</span>)
<span class="hljs-symbol">Feb</span> <span class="hljs-number">14</span> <span class="hljs-number">15</span>:<span class="hljs-number">20</span>:<span class="hljs-number">42</span> venus.masdzub.com csf[<span class="hljs-number">6927</span>]: <span class="hljs-symbol">LOCALOUTPUT</span> all opt -- in * out !lo <span class="hljs-number">0.0</span><span class="hljs-number">.0</span><span class="hljs-number">.0</span>/<span class="hljs-number">0</span> -> <span class="hljs-number">0.0</span><span class="hljs-number">.0</span><span class="hljs-number">.0</span>/<span class="hljs-number">0</span>
<span class="hljs-symbol">Feb</span> <span class="hljs-number">14</span> <span class="hljs-number">15</span>:<span class="hljs-number">20</span>:<span class="hljs-number">42</span> venus.masdzub.com csf[<span class="hljs-number">6927</span>]: <span class="hljs-symbol">LOCALINPUT</span> all opt -- in !lo out * <span class="hljs-number">0.0</span><span class="hljs-number">.0</span><span class="hljs-number">.0</span>/<span class="hljs-number">0</span> -> <span class="hljs-number">0.0</span><span class="hljs-number">.0</span><span class="hljs-number">.0</span>/<span class="hljs-number">0</span>
<span class="hljs-symbol">Feb</span> <span class="hljs-number">14</span> <span class="hljs-number">15</span>:<span class="hljs-number">20</span>:<span class="hljs-number">42</span> venus.masdzub.com csf[<span class="hljs-number">6927</span>]: <span class="hljs-symbol">LOCALOUTPUT</span> all opt in * out !lo ::/<span class="hljs-number">0</span> -> ::/<span class="hljs-number">0</span>
<span class="hljs-symbol">Feb</span> <span class="hljs-number">14</span> <span class="hljs-number">15</span>:<span class="hljs-number">20</span>:<span class="hljs-number">42</span> venus.masdzub.com csf[<span class="hljs-number">6927</span>]: <span class="hljs-symbol">LOCALINPUT</span> all opt in !lo out * ::/<span class="hljs-number">0</span> -> ::/<span class="hljs-number">0</span>
<span class="hljs-symbol">Feb</span> <span class="hljs-number">14</span> <span class="hljs-number">15</span>:<span class="hljs-number">20</span>:<span class="hljs-number">42</span> venus.masdzub.com systemd[<span class="hljs-number">1</span>]: <span class="hljs-symbol">Started</span> <span class="hljs-symbol">ConfigServer</span> <span class="hljs-symbol">Firewall</span> & <span class="hljs-symbol">Security</span> - csf.
Contoh penggunaan CSF
Block IP atau subnet
<span class="hljs-attribute">csf</span> -d <span class="hljs-number">66.254.114.41</span>
csf -d <span class="hljs-number">66.254.114.0</span>/<span class="hljs-number">24</span>
dan akan keluar
<span class="hljs-attribute">Adding</span> <span class="hljs-number">66.254.114.41</span> to csf.deny and iptables DROP…
DROP all opt -- in !lo out * <span class="hljs-number">66.254.114.41</span> -> <span class="hljs-number">0.0.0.0</span>/<span class="hljs-number">0</span>
LOGDROPOUT all opt -- in * out !lo <span class="hljs-number">0.0.0.0</span>/<span class="hljs-number">0</span> -> <span class="hljs-number">66.254.114.41</span>
Menghapus IP atau Subnet yang terblock
<span class="hljs-attribute">csf</span> -dr <span class="hljs-number">66.254.114.41</span>
csf -dr <span class="hljs-number">66.254.114.0</span>/<span class="hljs-number">24</span>
akan muncul seperti ini
<span class="hljs-attribute">Removing</span> rule...
DROP all opt -- in !lo out * <span class="hljs-number">66.254.114.41</span> -> <span class="hljs-number">0.0.0.0</span>/<span class="hljs-number">0</span>
LOGDROPOUT all opt -- in * out !lo <span class="hljs-number">0.0.0.0</span>/<span class="hljs-number">0</span> -> <span class="hljs-number">66.254.114.41</span>
Menambah whitelist IP di firewall
<span class="hljs-selector-tag">csf</span> <span class="hljs-selector-tag">-a</span> 173<span class="hljs-selector-class">.114</span><span class="hljs-selector-class">.182</span><span class="hljs-selector-class">.163</span>
dan akan muncul seperti ini
[root@venus ~]<span class="hljs-comment"># csf -a 173.114.182.163</span>
Adding <span class="hljs-number">173.114</span><span class="hljs-number">.182</span><span class="hljs-number">.163</span> to csf.allow <span class="hljs-keyword">and</span> iptables ACCEPT...
ACCEPT all opt -- <span class="hljs-keyword">in</span> !lo out * <span class="hljs-number">173.114</span><span class="hljs-number">.182</span><span class="hljs-number">.163</span> -> <span class="hljs-number">0.0</span><span class="hljs-number">.0</span><span class="hljs-number">.0</span>/<span class="hljs-number">0</span>
ACCEPT all opt -- <span class="hljs-keyword">in</span> * out !lo <span class="hljs-number">0.0</span><span class="hljs-number">.0</span><span class="hljs-number">.0</span>/<span class="hljs-number">0</span> -> <span class="hljs-number">173.114</span><span class="hljs-number">.182</span><span class="hljs-number">.163</span>
Mengecheck IP terblock / whitelist
<span class="hljs-selector-tag">csf</span> <span class="hljs-selector-tag">-g</span> 173<span class="hljs-selector-class">.114</span><span class="hljs-selector-class">.182</span><span class="hljs-selector-class">.163</span>
jika terblock akan muncul seperti ini
[<span class="hljs-meta">root@venus ~</span>]<span class="hljs-meta"># csf -g 173.114.182.163</span>
Table Chain num pkts bytes target prot opt <span class="hljs-keyword">in</span> <span class="hljs-keyword">out</span> source destination
filter DENYIN <span class="hljs-number">1</span> <span class="hljs-number">0</span> <span class="hljs-number">0</span> DROP all -- !lo * <span class="hljs-number">173.114</span><span class="hljs-number">.182</span><span class="hljs-number">.163</span> <span class="hljs-number">0.0</span><span class="hljs-number">.0</span><span class="hljs-number">.0</span>/<span class="hljs-number">0</span>
filter DENYOUT <span class="hljs-number">1</span> <span class="hljs-number">0</span> <span class="hljs-number">0</span> LOGDROPOUT all -- * !lo <span class="hljs-number">0.0</span><span class="hljs-number">.0</span><span class="hljs-number">.0</span>/<span class="hljs-number">0</span> <span class="hljs-number">173.114</span><span class="hljs-number">.182</span><span class="hljs-number">.163</span>
ip6tables:
Table Chain num pkts bytes target prot opt <span class="hljs-keyword">in</span> <span class="hljs-keyword">out</span> source destination
No matches found <span class="hljs-keyword">for</span> <span class="hljs-number">173.114</span><span class="hljs-number">.182</span><span class="hljs-number">.163</span> <span class="hljs-keyword">in</span> ip6tables
csf.deny: <span class="hljs-number">173.114</span><span class="hljs-number">.182</span><span class="hljs-number">.163</span> <span class="hljs-meta"># Manually denied: 173.114.182.163 (ip-173-114-182-163.anahca.spcsdns.net) - Fri Feb 14 16:30:09 2020</span>
dan jika di whitelist akan seperti ini
[<span class="hljs-meta">root@venus ~</span>]<span class="hljs-meta"># csf -g 173.114.182.163</span>
Table Chain num pkts bytes target prot opt <span class="hljs-keyword">in</span> <span class="hljs-keyword">out</span> source destination
filter ALLOWIN <span class="hljs-number">1</span> <span class="hljs-number">0</span> <span class="hljs-number">0</span> ACCEPT all -- !lo * <span class="hljs-number">173.114</span><span class="hljs-number">.182</span><span class="hljs-number">.163</span> <span class="hljs-number">0.0</span><span class="hljs-number">.0</span><span class="hljs-number">.0</span>/<span class="hljs-number">0</span>
filter ALLOWOUT <span class="hljs-number">1</span> <span class="hljs-number">0</span> <span class="hljs-number">0</span> ACCEPT all -- * !lo <span class="hljs-number">0.0</span><span class="hljs-number">.0</span><span class="hljs-number">.0</span>/<span class="hljs-number">0</span> <span class="hljs-number">173.114</span><span class="hljs-number">.182</span><span class="hljs-number">.163</span>
ip6tables:
Table Chain num pkts bytes target prot opt <span class="hljs-keyword">in</span> <span class="hljs-keyword">out</span> source destination
No matches found <span class="hljs-keyword">for</span> <span class="hljs-number">173.114</span><span class="hljs-number">.182</span><span class="hljs-number">.163</span> <span class="hljs-keyword">in</span> ip6tables
csf.allow: <span class="hljs-number">173.114</span><span class="hljs-number">.182</span><span class="hljs-number">.163</span> <span class="hljs-meta"># Manually allowed: 173.114.182.163 (ip-173-114-182-163.anahca.spcsdns.net) - Fri Feb 14 16:31:41 2020</span>
Kesimpulan
Kurang lebih seperti itulah cara install CSF dan contoh penggunaan dari csf secara singkat. Cukup itu dulu. Jika artikel ini di rasa membantu mohon di bantu untuk di share ke teman lainnya.