<table class="text">
<tr class="li1"><td class="ln"><pre class="de1">1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112 disable firewalld. # systemctl disable firewalld #systemctl stop firewalld Install iptables. # yum -y install iptables-services Create files needed by iptables. # touch /etc/sysconfig/iptables # touch /etc/sysconfig/iptables6 Start iptables. # systemctl start iptables # systemctl start ip6tables Enable iptables at boot. # systemctl enable iptables #systemctl enable ip6tables Install the CSF dependencies. # yum -y install wget perl unzip net-tools perl-libwww-perl perl-LWP-Protocol-https perl-GDGraph -y Download and launch the CSF installer. # cd /opt # wget https://download.configserver.com/csf.tgz # tar -xzf csf.tgz # cd csf # sh install.sh 第二步:配置(参考教程https://www.howtoforge.com/tutorial/install-and-configure-csf-config-server-firewall-on-centos-7/) ------------------------------------ You should get the information that CSF installation is completed at the end. Now you should check that CSG really works on this server. Go to the "/usr/local/csf/bin/" directory,and run "csftest.pl". #cd /usr/local/csf/bin/ #perl csftest.pl If you see the test results as shown below,then CSF is running without problems on your server: RESULT: csf should function on this server CSF is running. Step 3 - Configure CSF on CentOS 7 Before stepping into the CSF configuration process,the first thing you must kNow is that "CentOS 7" has a default firewall application called "firewalld". You have to stop firewalld and remove it from the startup. Stop the firewalld: #systemctl stop firewalld disable/Remove firewalld from the startup: #systemctl disable firewalld Then go to the CSF Configuration directory "/etc/csf/" and edit the file "csf.conf" with the vim editor: #cd /etc/csf/ #vi csf.conf Change line 11 "TESTING " to "0" for applying the firewall configuration. TESTING = "0" By default CSF allows incoming and outgoing traffic for the SSH standard port 22,if you use a different SSH port then please add your port to the configuration in line 139 "TCP_IN". Now start CSF and LFD with systemctl command: #systemctl start csf systemctl start lfd And then enable the csf and lfd services to be started at boot time: #systemctl enable csf #systemctl enable lfd 最后一步:屏蔽某一个国家,修改csf.conf这个文件 -------------------------------------------------- Here are some tweaks about CSF,so you can configure as you need. Back to the csf configuration directory,and edit the csf.conf configuration file: #cd /etc/csf/ #vi csf.conf 1. Don't Block IP addresses that are in the csf.allow files. By default lfd also will block an IP under csf.allow files,so if you want that an IP in csf.allow files never get blocked by lfd,then please go to the line 272 and change "IGnorE_ALLOW" to "1". This is useful wehn you have a static IP at home or in office and want to ensure that your IP never gets blocked by the firewall on your internet server. IGnorE_ALLOW = "1" 2. Allow Incoming and Outgoing ICMP. Go to the line 152 for incoming ping/ICMP: ICMP_IN = "1" And line 159 for outgoing ping ping/ICMP: ICMP_OUT = "1" 3. Block Certain Countrys CSF provide an option to allow and deny access by country using the CIDR (Country Code). Go to line 836 and add the country codes that shall be allowed and denied: CC_DENY = "CN,UK,US" CC_ALLOW = "ID,MY,DE" 4. Send the Su and SSH Login log by Email. You can set an email address that is used by LFD to send an email about "SSH Login" events and users that run the "su" command,go to the line 1069 and change the value to "1". LF_SSH_EMAIL_ALERT = "1" ... LF_SU_EMAIL_ALERT = "1" And then define the email address you want to use in line 588. LF_ALERT_TO = "mymail@mydomain.tld" If you want more tweaks,read the options in the "/etc/csf/csf.conf" configuration file.
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
