Installasi dan Konfigurasi CSF di Centos 7

Leave a Comment / By /

CSF (Config Server Firewall) merupakan aplikasi Firewall yang dapat di gunakan untuk mengamankan server Linux. Salah satu fiturnya adalah Intrusion Detection beberapa protokol seperti SSH, SMTP, IMAP, POP3, FTP, perintah “su” dan banyak lagi. Salah satu deteksi yang sering CSF lakukan adalah mendeteksi seseorang yang melakukan akses login SSH ke server kemudian mengirimkan report. Selain itu juga dapat mendeteksi kesalahan pada saat ada yang melakukan login ke system. Tutorial kali ini kita akan mencoba melakukan Installasi dan Konfigurasi CSF di Centos 7. Adapun untuk Linux yang lain caranya masih sama dan fitur lengkap dapat dilihat melalui link berikut: https://configserver.com/cp/csf.html

 

Installasi dan Konfigurasi CSF di Centos 7

1. Persiapan

Aplikasi CSF dibangun menggunakan bahasa pemrograman PERL sehingga membutuhkan paket PERL di server, selain itu untuk mendapatkan CSF akan menggunakan aplikasi wget. Untuk installasi paket-paket yang dibutuhkan tersebut dapat menggunakan perintah berikut:

# yum install wget vim perl-libwww-perl.noarch perl-Time-HiRes

Jangan lupa untuk menonaktifkan service firewalld juga:

# systemctl stop firewalld
# systemctl disable firewalld

 

2. Installasi

Setelah proses installasi paket-paket yang dibutuhkan selesai, saatnya untuk melakukan installasi CSF. Untuk perintah-perintah installasinya silahkan ikuti petunjuk berikut:

# wget https://download.configserver.com/csf.tgz
# tar -xzf csf.tgz
# cd csf
# sh install.sh

 

3. Konfigurasi

Setelah proses installasi selesai, kita akan memastikan modul-modulnya bekerja dengan baik dengan menggunakan perintah berikut:

perl /usr/local/csf/bin/csftest.pl

Contoh hasilnya seperti berikut:

# perl /usr/local/csf/bin/csftest.pl
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

RESULT: csf should function on this server

Secara default CSF akan berjalan dalam mode testing, untuk itu kita perlu merubah option di dalam file konfigurasinya supaya menjadi mode aktif. Rubah file konfigurasi yang ada di dalam file berikut:

# vim /etc/csf/csf.conf

Kemudian rubah pada bagian TESTING menjadi angka 0 seperti berikut:

TESTING = "0"

Sesuikan kebutuhan konfigurasi seperti konfigurasi port mana saja yang boleh di akses dari luar maupun dari dalam seperti pada konfigurasi berikut:

# Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,7071,9016,1822,8443"

# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,53,80,110,113,143,443,465,587,993,995,7071,9016,1822,7022"

Setelah selesai, simpan perubahan file konfigurasinya dan jalankan perintah berikut untuk mengaktifkan service CSF nya:

# csf -e

Cek hasilnya menggunakan perintah:

# iptables -L

Contoh hasilnya bisa seperti berikut:

$ iptables -L
Chain INPUT (policy DROP)
target prot opt source destination 
ACCEPT tcp -- google-public-dns-b.google.com anywhere tcp dpt:domain
ACCEPT udp -- google-public-dns-b.google.com anywhere udp dpt:domain
ACCEPT tcp -- google-public-dns-b.google.com anywhere tcp spt:domain
ACCEPT udp -- google-public-dns-b.google.com anywhere udp spt:domain
ACCEPT tcp -- google-public-dns-a.google.com anywhere tcp dpt:domain
ACCEPT udp -- google-public-dns-a.google.com anywhere udp dpt:domain
ACCEPT tcp -- google-public-dns-a.google.com anywhere tcp spt:domain
ACCEPT udp -- google-public-dns-a.google.com anywhere udp spt:domain
LOCALINPUT all -- anywhere anywhere 
ACCEPT all -- anywhere anywhere 
INVALID tcp -- anywhere anywhere 
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:ftp-data
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:domain
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:imap
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:urd
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:submission
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:pop3s
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:es-elmd
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:us-srv
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:61208
ACCEPT udp -- anywhere anywhere ctstate NEW udp dpt:ftp-data
ACCEPT udp -- anywhere anywhere ctstate NEW udp dpt:ftp
ACCEPT udp -- anywhere anywhere ctstate NEW udp dpt:domain
ACCEPT icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5
ACCEPT icmp -- anywhere anywhere icmp echo-reply limit: avg 1/sec burst 5
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
LOGDROPIN all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy DROP)
target prot opt source destination 
ACCEPT tcp -- anywhere google-public-dns-b.google.com tcp dpt:domain
ACCEPT udp -- anywhere google-public-dns-b.google.com udp dpt:domain
ACCEPT tcp -- anywhere google-public-dns-b.google.com tcp spt:domain
ACCEPT udp -- anywhere google-public-dns-b.google.com udp spt:domain
ACCEPT tcp -- anywhere google-public-dns-a.google.com tcp dpt:domain
ACCEPT udp -- anywhere google-public-dns-a.google.com udp dpt:domain
ACCEPT tcp -- anywhere google-public-dns-a.google.com tcp spt:domain
ACCEPT udp -- anywhere google-public-dns-a.google.com udp spt:domain
LOCALOUTPUT all -- anywhere anywhere 
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp spt:domain
ACCEPT udp -- anywhere anywhere udp spt:domain
ACCEPT all -- anywhere anywhere 
INVALID tcp -- anywhere anywhere 
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:ftp-data
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:domain
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:auth
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:submission
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:pop3s
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:es-elmd
ACCEPT tcp -- anywhere anywhere ctstate NEW tcp dpt:61208
ACCEPT udp -- anywhere anywhere ctstate NEW udp dpt:ftp-data
ACCEPT udp -- anywhere anywhere ctstate NEW udp dpt:ftp
ACCEPT udp -- anywhere anywhere ctstate NEW udp dpt:domain
ACCEPT udp -- anywhere anywhere ctstate NEW udp dpt:auth
ACCEPT udp -- anywhere anywhere ctstate NEW udp dpt:ntp
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
LOGDROPOUT all -- anywhere anywhere

Chain ALLOWIN (1 references)
target prot opt source destination 
ACCEPT all -- 120-188-81-239.resources.indosat.com anywhere

Chain ALLOWOUT (1 references)
target prot opt source destination 
ACCEPT all -- anywhere 120-188-81-239.resources.indosat.com

Chain DENYIN (1 references)
target prot opt source destination

Chain DENYOUT (1 references)
target prot opt source destination

Chain INVALID (2 references)
target prot opt source destination 
INVDROP all -- anywhere anywhere ctstate INVALID
INVDROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
INVDROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
INVDROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
INVDROP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
INVDROP tcp -- anywhere anywhere tcp flags:FIN,RST/FIN,RST
INVDROP tcp -- anywhere anywhere tcp flags:FIN,ACK/FIN
INVDROP tcp -- anywhere anywhere tcp flags:PSH,ACK/PSH
INVDROP tcp -- anywhere anywhere tcp flags:ACK,URG/URG
INVDROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN ctstate NEW

Chain INVDROP (10 references)
target prot opt source destination 
DROP all -- anywhere anywhere

Chain LOCALINPUT (1 references)
target prot opt source destination 
ALLOWIN all -- anywhere anywhere 
DENYIN all -- anywhere anywhere

Chain LOCALOUTPUT (1 references)
target prot opt source destination 
ALLOWOUT all -- anywhere anywhere 
DENYOUT all -- anywhere anywhere

Chain LOGDROPIN (1 references)
target prot opt source destination 
DROP tcp -- anywhere anywhere tcp dpt:telnet
DROP udp -- anywhere anywhere udp dpt:telnet
DROP tcp -- anywhere anywhere tcp dpt:bootps
DROP udp -- anywhere anywhere udp dpt:bootps
DROP tcp -- anywhere anywhere tcp dpt:bootpc
DROP udp -- anywhere anywhere udp dpt:bootpc
DROP tcp -- anywhere anywhere tcp dpt:sunrpc
DROP udp -- anywhere anywhere udp dpt:sunrpc
DROP tcp -- anywhere anywhere tcp dpt:auth
DROP udp -- anywhere anywhere udp dpt:auth
DROP tcp -- anywhere anywhere tcp dpts:epmap:netbios-ssn
DROP udp -- anywhere anywhere udp dpts:epmap:netbios-ssn
DROP tcp -- anywhere anywhere tcp dpt:microsoft-ds
DROP udp -- anywhere anywhere udp dpt:microsoft-ds
DROP tcp -- anywhere anywhere tcp dpt:isakmp
DROP udp -- anywhere anywhere udp dpt:isakmp
DROP tcp -- anywhere anywhere tcp dpt:login
DROP udp -- anywhere anywhere udp dpt:who
DROP tcp -- anywhere anywhere tcp dpt:efs
DROP udp -- anywhere anywhere udp dpt:router
LOG tcp -- anywhere anywhere limit: avg 30/min burst 5 LOG level warning prefix "Firewall: *TCP_IN Blocked* "
LOG udp -- anywhere anywhere limit: avg 30/min burst 5 LOG level warning prefix "Firewall: *UDP_IN Blocked* "
LOG icmp -- anywhere anywhere limit: avg 30/min burst 5 LOG level warning prefix "Firewall: *ICMP_IN Blocked* "
DROP all -- anywhere anywhere

Chain LOGDROPOUT (1 references)
target prot opt source destination 
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 30/min burst 5 LOG level warning uid prefix "Firewall: *TCP_OUT Blocked* "
LOG udp -- anywhere anywhere limit: avg 30/min burst 5 LOG level warning uid prefix "Firewall: *UDP_OUT Blocked* "
LOG icmp -- anywhere anywhere limit: avg 30/min burst 5 LOG level warning uid prefix "Firewall: *ICMP_OUT Blocked* "
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Apabila dari hasil perintah iptables menunjukkan beberapa rules firewall seperti contoh di atas berarti CSF sedang bekerja.

Demikianlah tutorial bagaimana cara melakukan Installasi dan Konfigurasi CSF di Centos 7.

Sekian dan terima kasih, semoga bermanfaat ya.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top