Replacing Cloudflare with CSF Firewall – Install Guide

2016 Update: Cloudflare has matured and grown a lot over the past 3 years. I highly recommend sticking with Cloudflare and using CSF to compliment Cloudflare’s HTTP security. You’ll benefit from their global CDN, free SSL certificates, caching and more. I’m currently using Cloudflare’s Pro plan and also full page caching along with CSF. 

Cloudflare can be useful, however its nice to have an alternative for those, like myself, who prefer to know what takes place in the background. As such, this is a quick guide on how to install and configure CSF (Firewall), its security plugin LFD (Login Failure Daemon) and how to setup similar IP filtering/blocking that’s used by CloudFlare. This guide applies to cPanel but the instructions can also be used for standalone CSF/LFD installs.

CSF is a top notch server firewall with many configuration options, but is simple enough to install and configure that you can have it running in just a few minutes.

Installing CSF (ConfigServer Firewall)

This is simple as downloading the source file to your server then installing it. CSF can be installed with cPanel/WHM integration or just regular install. The first few installation steps are the same whether it is a cPanel server or a non-cPanel server.

Create or go to a temporary directory (/tmp or /home/tmp) for example:

mkdir /home/tmp
cd /home/tmp

Next use ‘wget’ to retrieve CSF install code:

wget http://www.configserver.com/free/csf.tgz

Now decompress the CSF install files and change directories to the newly created ‘csf’ directory:

tar zxf csf.tgz
cd csf

Ok, here is where the cPanel server or non-cPanel server install differ…

If you’re using cPanel then use:

./install.cpanel.sh

If not, you should install with:

./install.sh

Read the output of the script as it installs. Once complete, you should see something similar to the following:

Don't forget to:
1. Configure the TCP_IN, TCP_OUT, UDP_IN and UDP_OUT options in the csf configuration to suite your server
2. Restart csf and lfd
3. Set TESTING to 0 once you're happy with the firewall
Adding current SSH session IP address to the csf whitelist in csf.allow:
Adding x.x.x.x to csf.allow only while in TESTING 
mode (not iptables ACCEPT)
*WARNING* TESTING mode is enabled 
- do not forget to disable it in the configuration
Installation Completed

Not that both CSF and LFD has been installed (in TESTING mode).

Related:  Quick Tips for a more stable Arch Linux experience

To start CSF, use:

csf -s

If the service starts without error, make sure to take CSF out of testing mode by changing the setting in csf.conf. To do this, edit the configuration with your favorite editor (or via cPanel “Firewall Configuration” option):

vim /etc/csf/csf.conf

then change…

TESTING = "1"

to

TESTING = "0"

Restart CSF to fully enable…

csf -r

Congratulations! You’ve just installed CSF Firewall!

Here’s what CSF help looks like:

csf   
Option              Meaning
-h, --help          Show this message
-l, --status        List/Show iptables configuration
-s, --start         Start firewall rules
-f, --stop          Flush/Stop firewall rules
-r, --restart       Restart firewall rules
-a, --add ip        Add an IP address to be whitelisted to /etc/csf.allow
-d, --deny ip       Add an IP address to be blocked to /etc/csf.deny
-dr, --denyrm ip    Remove and unblock an IP address in /etc/csf.deny
-c, --check         Checks for updates to csf+lfd but does not perform an upgrade
-g, --grep ip       Search the iptables rules for an IP match (incl. CIDR)
-t, --temp          Displays the current list of temporary IP bans and their TTL
-tr, --temprm ip    Remove an IP address from the temporary IP ban list
-td, --tempdeny ip ttl [-p port] [-d direction]
                    Add an IP address to the temporary IP ban list. ttl is how
                    long to blocks for in seconds. Optional port. Optional
                    direction of block can be one of in, out or inout. Default
                    is in
-tf, --tempf        Flush all IP addresses from the temporary IP ban list
-u, --update        Checks for updates to csf+lfd and performs an upgrade if
                    available
-x, --disable       Disable csf and lfd
-e, --enable        Enable csf and lfd if previously disabled
-v, --version       Show csf version

For example to block an IP use: csf -d IPADDRESS

You can read about and fine-tune all settings by editing /etc/csf/csf.conf.

Related:  Pre-Order the PS4 (Playstation 4)

For cPanel you can edit from WHM under the “Plugins” area.

Also see: http://configserver.com/cp/csf.html

Using CSF as Cloudflare replacement

Cloudflare blocks a lot of IPs even before they hit your website/server. This is done via IP lists. For example  Project Honey Pot, the Web’s Largest Community Tracking Online Fraud & Abuse project. They provide regularly updated IP block lists.

CSF IP Block Lists – This feature allows csf/lfd to periodically download lists of IP addresses and CIDRs from published block or black lists. It is controlled by the file: /etc/csf/csf.blocklists. The IP Block lists can also be configured via cPanel.

Simply uncomment the line starting with the rule name to use it (read instructions at the top of the csf.blocklists file), then restart csf/lfd.

The blocklists that can be enabled include:

      • Spamhaus
      • DShield
      • TOR
      • BOGON
      • Project Honeypot
      • BruteForceBlocker
      • Emerging Threats – Russian Business Networks List
      • OpenBL.org 30 day List
      • Autoshun Shun List
      • MaxMind GeoIP Anonymous Proxies
      • C.I. Army Malicious IP List

IMPORTANT: Some of these lists can be very long – hundreds even thousands of IP addresses – and could cause serious network and/or performance issues, so I recommend that you set a value for the MAX field.

Each URL is scanned for an IPv4/CIDR address per line and if found is blocked… up to the max # of IPs you choose.

Here’s what my file looks like:

###############################################################################
# Copyright 2006-2013, Way to the Web Limited
# URL: http://www.configserver.com
# Email: sales@waytotheweb.com
###############################################################################
# This file contains definitions to IP BLOCK lists.
#
# Uncomment the line starting with the rule name to use it, then restart csf
# and then lfd
#
# Each block list must be listed on per line: as NAME|INTERVAL|MAX|URL
#   NAME    : List name with all uppercase alphabetic characters with no
#             spaces and a maximum of 9 characters - this will be used as the
#             iptables chain name
#   INTERVAL: Refresh interval to download the list, must be a minimum of 3600
#             seconds (an hour), but 86400 (a day) should be more than enough
#   MAX     : This is the maximum number of IP addresses to use from the list,
#             a value of 0 means all IPs
#   URL     : The URL to download the list from
#
# Note: Some of thsese lists are very long (thousands of IP addresses) and
# could cause serious network and/or performance issues, so setting a value for
# the MAX field should be considered
#
# After making any changes to this file you must restart csf and then lfd
#
# If you want to redownload a blocklist you must first delete
# /etc/csf/csf.block.NAME and then restart csf and then lfd
#
# Each URL is scanned for an IPv4/CIDR address per line and if found is blocked

# Spamhaus Don't Route Or Peer List (DROP)
# Details: http://www.spamhaus.org/drop/
SPAMDROP|86400|100|http://www.spamhaus.org/drop/drop.lasso

# Spamhaus Extended DROP List (EDROP)
# Details: http://www.spamhaus.org/drop/
SPAMEDROP|86400|100|http://www.spamhaus.org/drop/edrop.lasso

# DShield.org Recommended Block List
# Details: http://dshield.org
DSHIELD|86400|100|http://feeds.dshield.org/block.txt

# TOR Exit Nodes
# Details: https://trac.torproject.org/projects/tor/wiki/doc/TorDNSExitList
TOR|86400|100|http://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1

# BOGON list
# Details: http://www.team-cymru.org/Services/Bogons/
BOGON|86400|100|http://www.cymru.com/Documents/bogon-bn-agg.txt

# Project Honey Pot Directory of Dictionary Attacker IPs
# Details: http://www.projecthoneypot.org
HONEYPOT|86400|100|http://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1

# C.I. Army Malicious IP List
# Details: http://www.ciarmy.com
CIARMY|86400|100|http://www.ciarmy.com/list/ci-badguys.txt

# BruteForceBlocker IP List
# Details: http://danger.rulez.sk/index.php/bruteforceblocker/
BFB|86400|100|http://danger.rulez.sk/projects/bruteforceblocker/blist.php

# Emerging Threats - Russian Business Networks List
# Details: http://doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork
RBN|86400|100|http://rules.emergingthreats.net/blockrules/rbn-ips.txt

# OpenBL.org 30 day List
# Details: http://www.openbl.org
OPENBL|86400|100|http://www.us.openbl.org/lists/base_30days.txt

# Autoshun Shun List
# Details: http://www.autoshun.org/
AUTOSHUN|86400|100|http://www.autoshun.org/files/shunlist.csv

# MaxMind GeoIP Anonymous Proxies
# Details: http://www.maxmind.com/en/anonymous_proxies
MAXMIND|86400|100|http://www.maxmind.com/en/anonymous_proxies

Note the founders of Cloudflare previously worked on the Project Honey Pot. So at the very least enable that one. ;)

Related:  Two MUST have Smartphone Apps!

For added security you’ll need other tools, for example ModSecurity. Also, this does NOT make your website faster, provide CDN or any of the Cloudflare specific security features. However, if you don’t want Cloudflare in front of your server’s traffic, then this is an alternative starting point.

Enjoy!

3 Shares
Tweet
Share3
+1
Reddit