服务器安全攻防:CSF防火墙的设置

| | 标签: | 发表评论

之前我们介绍了如何在 CentOS 系统上安装 CSF 防火墙。今天我们将继续介绍一些基本的关于 CSF 的设置。

CSF 包括了一套防火墙规则,例如打开哪些端口,根据何种规则判断某个 IP 为恶意,并作出相应的处理,此外还有 lfd( Login Failure Daemon),它的作用是对那些嗅探密码的 IP 加入黑名单,这可以很好的预防您的密码被暴力破解——但即使有 lfd 的保护,设置一个复杂而不易猜测的密码也是重要的,以免弱口令被轻易猜出。

CSF的配置文件是 /etc/csf/csf.conf。使用您习惯的文本编辑器(vim,nano,etc)编辑该文件,让 CSF更好的为您工作。
管理哪些端口可以打开:
# Allow incoming TCP ports
# 推荐您更改 SSH 的默认端口(22)为其他端口,但请注意一定要把新的端口加到下一行中
TCP_IN = “20,21,47,81,1723,25,53,80,110,143,443,465,587,993,995”

# Allow outgoing TCP ports同上,把 SSH 的登录端口加到下一行。
# 在某些程序要求打开一定范围的端口的情况下,例如Pureftpd的passive mode,可使用类似 30000:35000 的方式打开30000-35000范围的端口。
TCP_OUT = “20,21,47,81,1723,25,53,80,110,113,443”

# Allow incoming UDP ports
UDP_IN = “20,21,53”

# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = “20,21,53,113,123”

# Allow incoming PING 是否允许别人ping你的服务器,默认为1,允许。0为不允许。
ICMP_IN = “1”

免疫某些类型的小规模 DDos 攻击:
# Connection Tracking. This option enables tracking of all connections from IP
# addresses to the server. If the total number of connections is greater than
# this value then the offending IP address is blocked. This can be used to help
# prevent some types of DOS attack.
#
# Care should be taken with this option. It’s entirely possible that you will
# see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD
# and HTTP so it could be quite easy to trigger, especially with a lot of
# closed connections in TIME_WAIT. However, for a server that is prone to DOS
# attacks this may be very useful. A reasonable setting for this option might
# be arround 200.
#
# To disable this feature, set this to 0
CT_LIMIT = “200”

# Connection Tracking interval. Set this to the the number of seconds between
# connection tracking scans
CT_INTERVAL = “30”

# Send an email alert if an IP address is blocked due to connection tracking
CT_EMAIL_ALERT = “1”

# If you want to make IP blocks permanent then set this to 1, otherwise blocks
# will be temporary and will be cleared after CT_BLOCK_TIME seconds
# 是否对可疑IP采取永久屏蔽,默认为0,即临时性屏蔽。

CT_PERMANENT = “0”

# If you opt for temporary IP blocks for CT, then the following is the interval
# in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)
# 临时性屏蔽时间
CT_BLOCK_TIME = “1800”

# If you don’t want to count the TIME_WAIT state against the connection count
# then set the following to “1”
CT_SKIP_TIME_WAIT = “0”

# If you only want to count specific states (e.g. SYN_RECV) then add the states
# to the following as a comma separated list. E.g. “SYN_RECV,TIME_WAIT”
#
# Leave this option empty to count all states against CT_LIMIT
CT_STATES = “”

# If you only want to count specific ports (e.g. 80,443) then add the ports
# to the following as a comma separated list. E.g. “80,443”
#
# Leave this option empty to count all ports against CT_LIMIT
# 通常只需定义对提供 HTTP 服务的 80 端口进行检测。
CT_PORTS = “80”

其他的设置还有很多,如果您有较好的英语基础,阅读那些注释,自定义配置,让 CSF 更符合您的需要。当您编辑完该配置文件后,记得关闭测试模式:

# Testing flag – enables a CRON job that clears iptables incase of
# configuration problems when you start csf. This should be enabled until you
# are sure that the firewall works – i.e. incase you get locked out of your
# server! Then do remember to set it to 0 and restart csf when you’re sure
# everything is OK. Stopping csf will remove the line from /etc/crontab
# 把默认的1修改为0。
TESTING = “0”

下一次,我们会进一步介绍对 CSF 的基本管理。

分类:未分类

发表评论