Fi sori ẹrọ ati Tunto Aabo ConfigServer & Ogiriina (CSF) ni Lainos

Ti o ba wo awọn ifiweranṣẹ iṣẹ ti o jọmọ IT nibikibi, iwọ yoo ṣe akiyesi ibeere iduro fun awọn aleebu aabo. Eyi ko tumọ si pe aabo cybers jẹ aaye iwadii ti o nifẹ, ṣugbọn ọkan ti o ni ere pupọ.

Pẹlu iyẹn ni lokan, ninu nkan yii a yoo ṣalaye bi o ṣe le fi sori ẹrọ ati tunto Aabo ConfigServer & Firewall (eyiti a tun mọ ni CSF fun kukuru), ile-aabo aabo ni kikun fun Linux, ati pin tọkọtaya ti awọn ọran lilo aṣoju. Lẹhinna iwọ yoo ni anfani lati lo CSF bi ogiriina ati eto iwadii ifọle/wiwọle lati mu awọn olupin ti o ni ẹri le.

Laisi adieu siwaju sii, jẹ ki a bẹrẹ.

Fifi ati tunto CSF ni Lainos

Lati bẹrẹ, jọwọ ṣe akiyesi pe Perl ati libwww jẹ ohun pataki lati fi sori ẹrọ CSF lori eyikeyi awọn pinpin ti o ni atilẹyin (RHEL ati CentOS, openSUSE, Debian, ati Ubuntu). Niwọn bi o ti yẹ ki o wa ni aiyipada, ko si igbese ti o nilo ni apakan rẹ ayafi ti ọkan ninu awọn igbesẹ wọnyi ba da aṣiṣe aṣiṣe kan pada (ni ọran naa, lo eto iṣakoso package lati fi awọn igbẹkẹle ti o padanu).

# yum install perl-libwww-perl
# apt install libwww-perl

# cd /usr/src
# wget https://download.configserver.com/csf.tgz

# tar xzf csf.tgz
# cd csf

Apa yii ti ilana naa yoo ṣayẹwo pe a ti fi gbogbo awọn igbẹkẹle sii, ṣẹda awọn ilana itọsọna pataki ati awọn faili fun wiwo wẹẹbu, ṣawari awọn ibudo ṣiṣi lọwọlọwọ, ati leti ọ lati tun bẹrẹ csf ati awọn daemons lfd lẹhin ti o ti pari pẹlu iṣeto akọkọ.

# sh install.sh
# perl /usr/local/csf/bin/csftest.pl

Ijade ti a reti ti aṣẹ loke jẹ bi atẹle:

Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

RESULT: csf should function on this server

Mu firewalld ṣiṣẹ ti o ba n ṣiṣẹ ati tunto CSF.

# systemctl stop firewalld
# systemctl disable firewalld

Yi TESTING =\"1 \" pada si TESTING =\"0 \" (bibẹkọ, lfd daemon yoo kuna lati bẹrẹ) ati atokọ ti a gba laaye awọn ibudo ti nwọle ati ti njade bi atokọ ti o pin koma (TCP_IN ati TCP_OUT, lẹsẹsẹ) ni /etc/csf/csf.conf bi o ṣe han ninu abajade isalẹ:

# Testing flag - enables a CRON job that clears iptables incase of
# configuration problems when you start csf. This should be enabled until you
# are sure that the firewall works - i.e. incase you get locked out of your
# server! Then do remember to set it to 0 and restart csf when you're sure
# everything is OK. Stopping csf will remove the line from /etc/crontab
#
# lfd will not start while this is enabled
TESTING = "0"

# Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"

# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995"

Lọgan ti o ba ni idunnu pẹlu iṣeto, ṣafipamọ awọn ayipada ki o pada si laini aṣẹ.

# systemctl restart {csf,lfd}
# systemctl enable {csf,lfd}
# systemctl is-active {csf,lfd}
# csf -v

Ni aaye yii a ti ṣetan lati bẹrẹ iṣeto ogiri ogiri ati awọn ofin wiwa intrusion bi a ti sọrọ ni atẹle.

Ṣiṣeto CSF ati Awọn ofin Ṣawari Intrusion

Ni akọkọ, iwọ yoo fẹ lati ṣayẹwo awọn ofin ogiriina lọwọlọwọ bi atẹle:

# csf -l

O tun le da wọn duro tabi tun gbe wọn pẹlu:

# csf -f
# csf -r

lẹsẹsẹ. Rii daju lati ṣe iranti awọn aṣayan wọnyi - iwọ yoo nilo wọn bi o ṣe nlọ, ni pataki lati ṣayẹwo lẹhin ṣiṣe awọn ayipada ati tun bẹrẹ csf ati lfd.

Lati gba awọn asopọ ti nwọle laaye lati 192.168.0.10.

# csf -a 192.168.0.10

Bakan naa, o le sẹ awọn isopọ ti o bẹrẹ lati 192.168.0.11.

# csf -d 192.168.0.11

O le yọ ọkọọkan awọn ofin ti o wa loke kuro ti o ba fẹ ṣe bẹ.

# csf -ar 192.168.0.10
# csf -dr 192.168.0.11

Akiyesi bi lilo ti -ar tabi -dr loke yọkuro laaye laaye ati sẹ awọn ofin ti o ni nkan ṣe pẹlu adirẹsi IP ti a fun.

O da lori lilo ipinnu olupin rẹ, o le fẹ lati ṣe idinwo awọn isopọ ti nwọle si nọmba ailewu lori ipilẹ ibudo kan. Lati ṣe bẹ, ṣii /etc/csf/csf.conf ki o wa fun CONNLIMIT. O le ṣọkasi ibudo pupọ; awọn isopọ orisii ti o yapa nipasẹ awọn aami idẹsẹ. Fun apere,

CONNLIMIT = "22;2,80;10"

yoo gba laaye awọn asopọ ti nwọle 2 ati 10 nikan lati orisun kanna si awọn ibudo TCP 22 ati 80, lẹsẹsẹ.

Ọpọlọpọ awọn oriṣi gbigbọn ti o le yan. Wa fun awọn eto EMAIL_ALERT ni /etc/csf/csf.conf ki o rii daju pe wọn ṣeto si \"1 \" lati gba itaniji ti o somọ. Fun apere,

 
LF_SSH_EMAIL_ALERT = "1"
LF_SU_EMAIL_ALERT = "1"

yoo mu ki a firanṣẹ gbigbọn si adirẹsi ti a sọ ni LF_ALERT_TO nigbakugba ti ẹnikan ba ṣaṣeyọri ni ibuwolu wọle nipasẹ SSH tabi yipada si akọọlẹ miiran nipa lilo pipaṣẹ su.

Awọn aṣayan Iṣeto CSF ati Lilo

Awọn aṣayan atẹle wọnyi ni a lo lati yipada ati ṣakoso iṣeto csf. Gbogbo awọn faili iṣeto ti csf wa labẹ/ati be be lo/csf liana. Ti o ba yipada eyikeyi awọn faili wọnyi iwọ yoo nilo lati tun bẹrẹ csf daemon lati mu awọn ayipada.

• csf.conf: Faili iṣeto akọkọ fun ṣiṣakoso CSF.
• csf.allow: Atokọ awọn adirẹsi IP ati CIDR ti a gba laaye lori ogiriina.
• csf.deny: Atokọ ti awọn adirẹsi IP ati CIDR ti a sẹ lori ogiriina naa.
• csf.ignore: Atokọ ti awọn adirẹsi IP ati CIDR ti a ko foju si ogiri ogiri.
• csf. * foju: Akojọ ti awọn oriṣiriṣi foju awọn faili ti awọn olumulo, IP's.

Yọ ogiriina CSF

Ti o ba fẹ lati yọ ogiriina CSF kuro patapata, kan ṣiṣe akosile atẹle ti o wa labẹ itọsọna /etc/csf/uninstall.sh.

# /etc/csf/uninstall.sh

Aṣẹ ti o wa loke yoo paarẹ ogiriina CSF patapata pẹlu gbogbo awọn faili ati folda.

Ninu nkan yii a ti ṣalaye bii o ṣe le fi sori ẹrọ, tunto, ati lo CSF bi ogiriina ati ẹrọ wiwa ifọle. Jọwọ ṣe akiyesi pe awọn ẹya diẹ sii ni a ṣe ilana ni csf.conf.

Fun apẹẹrẹ, Ti o ba wa ninu iṣowo gbigba wẹẹbu, o le ṣepọ CSF pẹlu awọn iṣeduro iṣakoso bii Webmin.

Ṣe o ni awọn ibeere tabi awọn asọye nipa nkan yii? Lero ọfẹ lati fi ifiranṣẹ ranṣẹ si wa ni lilo fọọmu ni isalẹ. A n reti lati gbọ lati ọdọ rẹ!