How to install and configure the CSF (configserver) firewall.

CSF can be used on a wide range of Linux systems, including those running cPanel.

Following are the steps to install and configure the CSF on Linux Server.

Installation is quite straightforward:

rm -fv csf.tgz

wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

If you would like to disable APF+BFD (which you will need to do if you have
them installed otherwise they will conflict horribly):

sh disable_apf_bfd.sh

That’s it. You can then configure csf and lfd in WHM, or edit the files
directly in /etc/csf/*

csf is preconfigured to work on a cPanel server with all the standard cPanel
ports open. It also auto-configures your SSH port if it’s non-standard on
installation.

To configure CSF modify the config files in /etc/csf/ – or if you are running WHM you can modify the CSF settings in WHM itself.

You should ensure that kernel logging daemon (klogd) is enabled. Typically, VPS servers have this disabled and you should check /etc/init.d/syslog and make sure that any klogd lines are not commented out. If you change the file, remember to restart syslog.

See the readme.txt file for more information.

Uninstallation
==============
Removing csf and lfd is even more simple:

cd /etc/csf
sh uninstall.sh

To stop other sites directly linking to your images and media files and stealing your bandwidth You need to add following code in your .htaccess file

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www.)?domain.com(/)?.*$ [NC]
RewriteRule .*.(gif|jpg|jpeg|bmp|wmv)$ http://www.domain.com/image.jpg [R,NC]

Note: replace your website with domain.com

Note: Please don’t disable the Windows Firewall unless and until you have the other appropriate firewall software installed on your system

There are mainly three methods for disabling the Windows Firewall. The first method is for any user with administrative privileges on an individual machine not remotely or collectively managed in any way. The other two methods are for use windows Administrators on fully managed systems or Windows Servers.

1) Using the Control Panel

This method is for any user with administrative access to unmanaged systems

1. From the Start menu, select Control Panel, then select Windows Firewall.
2. Select Off, then click Ok.

2) Using Local Policy

This method is for administrators with administrative access to unmanaged systems or locally managed systems where the machine is not part of a Windows 2000 or higher domain.

Go to Start menu >> select Run, here enter gpedit.msc.
Expand the Computer Configuration folder, then the Administrative Templates folder.
Expand the Network folder, then the Network Connections folder, then the Windows Firewall folder.
Select the Standard Profile folder.
Double-click the Windows Firewall: Protect all network connections option.
Select Disabled, then click OK.
Select the Domain Profile folder.
Double-click the Windows Firewall: Protect all network connections option.
Select Disabled, then click OK.
Close the Group Policy dialog box.

3) Using Group Policy

This method is for administrators with administrative access to managed machines that are part of a Windows 2000 or 2003 Active Directory domain.

Create a new Group Policy object, and give the object a descriptive name (for example, ITS-Turn off Windows Firewall).
Select the newly created group policy.
Right-click on the newly created policy and select Edit.
Expand the Computer Configuration folder, then the Administrative Templates folder.
Expand the Network folder, then the Network Connections folder, then the Windows Firewall folder.
Select the Standard Profile folder.
Double-click the Windows Firewall: Protect all network connections option.
Select Disabled, then click OK.
Select the Domain Profile folder.
Double-click the Windows Firewall: Protect all network connections option.
Select Disabled, then click OK.
Close the Group Policy dialog box.
In the Security Filter section, click Add.
Search for the objects that this group policy will be applied to, then click OK.
Close the Group Policy editor.

13 easy steps to install APF firewall

1) Login as root to your system

2) Download the APF version 0.9.3.3 (current) to your system

bash# wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz

3) Now you have to extract the tar file

bash# tar -zxf apf-current.tar.gz

4) Go to the APF directory

bash# cd apf-0.9.3_3

5) Run the code for installation

bash# ./install.sh

You will be alerted when the installation is complete.

Install path : /etc/apf
Config path : /etc/apf/conf.apf
Executable path : /usr/local/sbin/apf

6) Modify the APF config file according to your user defined requirements.

bash# vi /etc/apf/conf.apf

(Hit i to enter the INSERT mode)

7) Add in the ports you want to open for inbound (INGRES).

# Common ingress (inbound) TCP ports
IG_TCP_CPORTS=”20,21,22,25,26,53,80,110,143,443,465,993,995,2082,
2083,2086,2087,2095,2096,3306,6666″

# Common ingress (inbound) UDP ports
IG_UDP_CPORTS=”21,53,465,873″

# Common ICMP (inbound) types
# “internals/icmp.types” for type definition; all is wildcard for any
IG_ICMP_TYPES=”3,5,11,0,30,8″

The variables mentioned above are already present in the config file. You can customize the ports.

You have to particularly instruct APF to monitor outgoing (EGRESS) ports as well.

Change the line: EGF=”0″ to EGF=”1″

9) Specify the outbound ports to monitor.

# Common egress (outbound) TCP ports
EG_TCP_CPORTS=”21,22,25,26,37,43,53,80,110,113,443,465,873,2089,3306″

# Common egress (outbound) UDP ports
EG_UDP_CPORTS=”20,21,53,465,873″

# Common ICMP (outbound) types
# “internals/icmp.types” for type definition; “all” is wildcard for any
EG_ICMP_TYPES=”all”

10) Specify the ports you want to block, if any.

- The allow and deny trust files are located at:
/etc/apf/allow_hosts.rules
/etc/apf/deny_hosts.rules
You just have to list the ip’s that you specifically wish to allow or deny in the respective files.

- The format of these files are line-separated addresses, IP masking is supported.
Example:
24.202.16.11
24.202.11.0/24

Save and exit – hit “esc” :wq “enter”

11) Start APF

bash# /usr/local/sbin/apf -s

If everything goes as planned, you’ll go back to the command line.

12) If all goes well, edit the config file and change the developer mode to 0

bash# vi /etc/apf/conf.apf

(Hit i to enter insert mode)

Change DEVM=”1″ to DEVM=”0″

Save and quit – Hit “esc” :wq “enter”

13) Restart APF

bash# /usr/local/sbin/apf -r

APF is now installed and monitoring your system.

Necessary steps to install Norton Personal Firewall on a computer running Mac OS X.

You can download it from http://software.doit.wisc.edu

To start installation from the download:

1. Most web browsers will automatically attempt to open the installer file as part of the download process

2. If your browser does not open the file automatically, locate the downloaded file and double click it

3. Read through the license agreement and click Agree to continue.

To start installation from the Security Software Starter CD-Rom

1. Place the CD in the CD-Rom drive and wait for the disk to mount.

2. When the Security Starter icon appears on the desktop, double click it.

Installation is identical from this point on for both download and CD-Rom

1. Open the Norton Personal Firewall folder

2. Open the NPF for OSX folder

3. Double-click Install Personal Firewall.mpkg

4. On some systems, the installer will need to run a program to determine if installation can continue. Click Continue.

5. On the Welcome to Norton Personal Firewall Installer window, click Continue

6. Read the Important Information. Click Continue to proceed.

7. Read the Software License Agreement. Click Continue.

8. You must AGREE with the license terms to continue installation.

9. Select a destination volume where the software should install. Click Continue to proceed.

10. Click Install or Upgrade to perform a standard installation.

11. When prompted to Authenticate, enter your username and password. Click Ok to continue.

12. You are given a warning that installing the software requires a restart. Click Continue Installation.

13. Once all files are installed, you will be asked if you want to run LiveUpdate. Click Yes.
Note: LiveUpdate requires a connection to the Internet.
14. After LiveUpdate has finished, click Restart to complete the installation.

Running the Norton Personal Firewall Setup Assistant

1. The first time Norton Personal Firewall runs, it will launch the Setup Assistant to help you configure the firewall. Click Continue.

2. Setup Assistant checks for any internet services running on your computer. It displays what it has found in the Access Settings window. If any services were found, you should review them carefully and only allow the ones you are sure you need.

3. If any services are found and you choose to allow them, Setup Assistant will ask you how much access to allow. Choose Only computers on my local network or The entire Internet and click Continue.

4. Using the slider, choose a protection level. The default, Medium, is usually sufficient. Click Continue.

5. Choose whether you wish to participate in Symantec DeepSight by clicking the check box. You can also view the DeepSight privacy policy statement here by clicking the Read the Symantec DeepSight Pricacy Policy button. Click Continue.

6. Setup Assistant is finished. Click Done.

The firewall will now run whenever you start your computer.

To build a Linux IP firewall, it is necessary to have a kernel built with IP firewall support and the appropriate configuration utility. In all production kernels prior to the 2.2 series, you would use the ipfwadm utility. The 2.2.x kernels marked the release of the third generation of IP firewall for Linux called IP Chains. . The netfilter code is the result of a large redesign of the packet handling flow in Linux. The netfilter is a multifaceted creature, providing direct backward-compatible support for both ipfwadm and ipchains as well as a new alternative command called iptables. We’ll talk about the differences between the three in the next few sections.

Kernel Configured with IP Firewall :
The Linux kernel must be configured to support IP firewalling. Configuring the Networking Hardware”. In 2.2 kernels you should select the following options:

Networking options —>
[*] Network firewalls
[*] TCP/IP networking
[*] IP: firewalling
[*] IP: firewall packet logging

In kernels 2.4.0 and later you should select this option instead:

Networking options —>
[*] Network packet filtering (replaces ipchains)
IP: Netfilter Configuration —>
.
Userspace queueing via NETLINK (EXPERIMENTAL)
IP tables support (required for filtering/masq/NAT)
limit match support
MAC address match support
netfilter MARK match support
Multiple port match support
TOS match support
Connection state match support
Unclean match support (EXPERIMENTAL)
Owner match support (EXPERIMENTAL)
Packet filtering
REJECT target support
MIRROR target support (EXPERIMENTAL)
.
Packet mangling
TOS target support
MARK target support
LOG target support
ipchains (2.2-style) support
ipfwadm (2.0-style) suppo

Originally, the most popular firewall/NAT package running on Linux was ipchains previously, but it had a number of shortcomings. To rectify this, the Netfilter decided to create a new product called iptables, giving it such improvements such as

1) Better integration with the Linux kernel with the capability of loading iptables-specific kernel modules designed for improved speed and reliability.

2) Stateful packet inspection. This means that the firewall keeps track of each connection passing through it and in certain cases will view the contents of data flows in an attempt to anticipate the next action of certain protocols. This is an important feature in the support of active FTP and DNS, as well as many other network services.

3) Filtering packets based on a MAC address and the values of the flags in the TCP header. This is helpful in preventing attacks using malformed packets and in restricting access from locally attached servers to other networks in spite of their IP addresses.

4) System logging that provides the option of adjusting the level of detail of the reporting.

5) A rate limiting feature that helps iptables block some types of denial of service (DoS) attacks.
.

6) Support for transparent integration with such Web proxy programs as Squid.

7) Better network address translation

Considered a faster and more secure alternative to ipchains, iptables has become the default firewall package installed under RedHat and Fedora Linux.

Download And Install The Iptables Package

Before you begin, you need to make sure that the iptables software RPM is installed. When searching for the RPMs, remember that the filename usually starts with the software package name by a version number, as in iptables-1.2.9-1.0.i386.rpm.

you can start ip tables by using

[root@]# service iptables start

You can stop iptables

[root@]# service iptables stop

You can restart,

[root@]# service iptables restart

To get iptables configured to start at boot, use the chkconfig command:.

[root@]# chkconfig iptables on

Determining The Status of iptables

You can determine whether iptables is running or not via the service iptables status command. Fedora Core will give a simple status message. For example

[root@]# service iptables status

Firewall is stopped.

[root@p]#

Packet Processing In iptables

All packets inspected by iptables pass through a sequence of built-in tables (queues) for processing. Each of these queues is dedicated to a particular type of packet activity and is controlled by an associated packet transformation/filtering chain.

There are three tables in total.
The first is the mangle table which is responsible for the alteration of quality of service bits in the TCP header. This is hardly used in a home or SOHO environment.

The second table is the filter queue which is responsible for packet filtering. It has three built-in chains in which you can place your firewall policy rules. These are the:

Input chain: Filters packets destined for the firewall.

Output chain: Filters packets originating from the firewall.

Forward chain: Filters packets to servers protected by the firewall.

The third table is the nat queue which is responsible for network address translation. It has two built-in chains; these are:

Pre-routing chain: NATs packets when the destination address of the packet needs to be changed.

Post-routing chain: NATs packets when the source address of the packet needs to be changed