csf防火墙配置

昨天搭建上网环境,服务器客户端都安装好了,但就是连不上。

只能一个个排查了。
1  服务端安装有没问题。
2 客户端版本或安装有没问题。试了下免费的账号可以连上,证明客户端是没问题的。
3 为何两者连不上,中间有什么阻碍。

最后才把问题定位到防火墙问题,之前装了个csf防火墙,把他关了之后就可以连上了,因为防火墙不允许我新开的端口,在防火墙里配置上网账号的端口,就可以用了。

简单说说csf防火墙吧
1 防止暴力破解密码,自动屏蔽连续登陆失败的IP
2 管理网络端口,只开放必要的端口
3 免疫小流量的 DDos 和 CC 攻击。
csf防火墙提供了基于web GUI的管理方式,并且提供 cPanel 插件,而且还可以基于CLI来管理,其实,说实话,我连vps的管理面板是个什么东西都不知道,更别说见过了,朋友的vps,平时维护什么的都是ssh上来的。从来没用过面板什么的。
csf的安装:
一、安装依赖包:
yum install perl-libwww-perl perl iptables

二、下载并安装 CSF:
wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

三、测试 CSF 是否能正常工作:
[root@localhost csf]# perl /etc/csf/csftest.pl
Testing ip_tables/iptable_filter…OK
Testing ipt_LOG…OK
Testing ipt_multiport/xt_multiport…OK
Testing ipt_REJECT…OK
Testing ipt_state/xt_state…OK
Testing ipt_limit/xt_limit…OK
Testing ipt_recent…OK
Testing xt_connlimit…OK
Testing ipt_owner/xt_owner…OK
Testing iptable_nat/ipt_REDIRECT…OK
Testing iptable_nat/ipt_DNAT…OK
RESULT: csf should function on this server

csf的配置:
CSF的配置文件是 /etc/csf/csf.conf

Allow incoming TCP ports

推荐您更改 SSH 的默认端口(22)为其他端口,但请注意一定要把新的端口加到下一行中

TCP_IN = “20,21,47,81,1723,25,53,80,110,143,443,465,587,993,995〃

Allow outgoing TCP ports同上,把 SSH 的登录端口加到下一行。

在某些程序要求打开一定范围的端口的情况下,例如Pureftpd的passive mode,可使用类似 30000:35000 的方式打开30000-35000范围的端口。

TCP_OUT = “20,21,47,81,1723,25,53,80,110,113,443〃

Allow incoming UDP ports

UDP_IN = “20,21,53〃

Allow outgoing UDP ports

To allow outgoing traceroute add 33434:33523 to this list

UDP_OUT = “20,21,53,113,123〃

Allow incoming PING 是否允许别人ping你的服务器,默认为1,允许。0为不允许。

ICMP_IN = “1〃

以上这些配置大家一看就懂了,下面再介绍几个比较常用的:
免疫某些类型的小规模 DDos 攻击:

Connection Tracking. This option enables tracking of all connections from IP

addresses to the server. If the total number of connections is greater than

this value then the offending IP address is blocked. This can be used to help

prevent some types of DOS attack.

#

Care should be taken with this option. It’s entirely possible that you will

see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD

and HTTP so it could be quite easy to trigger, especially with a lot of

closed connections in TIME_WAIT. However, for a server that is prone to DOS

attacks this may be very useful. A reasonable setting for this option might

be arround 200.

#

To disable this feature, set this to 0

CT_LIMIT = “200″##固定时间内同一个IP请求的此数

Connection Tracking interval. Set this to the the number of seconds between

connection tracking scans

CT_INTERVAL = “30″ ##指上面的固定时间,单位为秒

Send an email alert if an IP address is blocked due to connection tracking

CT_EMAIL_ALERT = “1″ ##是否发送邮件

If you want to make IP blocks permanent then set this to 1, otherwise blocks

will be temporary and will be cleared after CT_BLOCK_TIME seconds

是否对可疑IP采取永久屏蔽,默认为0,即临时性屏蔽。

CT_PERMANENT = “0″

If you opt for temporary IP blocks for CT, then the following is the interval

in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)

临时性屏蔽时间

CT_BLOCK_TIME = “1800″

If you don’t want to count the TIME_WAIT state against the connection count

then set the following to “1〃

CT_SKIP_TIME_WAIT = “0″ ##是否统计TIME_WAIT链接状态

If you only want to count specific states (e.g. SYN_RECV) then add the states

to the following as a comma separated list. E.g. “SYN_RECV,TIME_WAIT”

Leave this option empty to count all states against CT_LIMIT

CT_STATES = “” ##是否分国家来统计,填写的是国家名

If you only want to count specific ports (e.g. 80,443) then add the ports

to the following as a comma separated list. E.g. “80,443〃

#

Leave this option empty to count all ports against CT_LIMIT

对什么端口进行检测,为空则检测所有,防止ssh的话可以为空,统计所有的。

CT_PORTS = “”

做了以上设置之后,可以先测试一下。如果没有问题的话,就更改为正式模式,刚才只是测试模式。

把默认的1修改为0。

TESTING = “0″

在/etc/csf/下面还有2个文件
csf.allow和csf.deny
这里面保存的就是允许的IP和禁止的IP,可以手动编辑这两个文件,比如想禁止某人来访问本站,就把他的IP加入到csf.deny列表里面去,或者是为了防止误封。可以把自己的IP加入到csf.allow列表里面去。加入之后记得重启一下csf防火墙。
/etc/init.d/csf restart或者csf -r 都可以重启。

发表评论