PART 2: INSTALL & CONFIGURE
PART 3: SECURITY ADMIN
PART 4: SECURITY EXTRAS
##################################
### PART 2: INSTALL & CONFIGURE ###
##################################
CONTENT
- EASY SETUP
- INSTALLATION: CSF
- TEST
- CSF USER INTERFACE (UI): SETUP
- SSL CERTIFICATE
- COUNTRY CODES & BLOCKLISTS: IPSET (optional)
- CUSTOM CONFIGS: DOWNLOAD & ADD
- CUSTOM CONFIGS: PERSONALISE
- IP ACCESS LOG (optional/recommended)
- RAINLOOP LOG
- TESTING = "1"
- ACTIVATE CONFIGS
- ACCESS CSF UI
- CLEAN UP
EASY SETUP
Estimated Time Required: ~ 30-60 minutes
Optional: allow more time for reading config files
This installation & configuration of CSF, has been tailored to suit KeyHelp. Reading all the CSF documentation/comments can take forever, then the trial and error...
This guide makes things much easier, as I have already preconfigured everything, with safe defaults. All main configs are included here, for download and easy setup!
INSTALLATION: CSF
https://download.configserver.com/csf/install.txt
Install CSF
Installation is quite straightforward.
Open a Terminal as root, and keep it open.
Issue these commands to install CSF:
Code: Select all
cd /usr/src
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
Next, test whether you have the required iptables modules, they should all show OK:
Code: Select all
perl /usr/local/csf/bin/csftest.pl
Install the following, which are required to run the User Interface (UI) and related functions.
Code: Select all
apt-get install libio-socket-ssl-perl libcrypt-ssleay-perl libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl libwww-perl liblwp-protocol-https-perl
CSF UI connection should use TLS with the host's certificate. We will add the certificate to CSF, using the following commands (replace "host.domain.com" with your hostname):
Code: Select all
cp /etc/ssl/keyhelp/letsencrypt/keyhelp/host.domain.com/cert.pem /etc/csf/ui/server.crt
cp /etc/ssl/keyhelp/letsencrypt/keyhelp/host.domain.com/private.pem /etc/csf/ui/server.key
Add the 2 commands as cronjobs here:
KeyHelp > SETTINGS > Configuration > Scheduled tasks
COUNTRY CODES & BLOCKLISTS: IPSET (Optional)
http://ipset.netfilter.org/
To complete the installation side of things, this is the last one, and it is optional.
If you intend to block or allow IP based on Country Codes (CC) or blocklists (csf.blocklist), which are long lists of IP addresses, to improve performance it is recommended to install IPSET.
"Using ipset moves the onus of ip matching against large lists away from iptables rules and to a purpose built and optimised database matching utility. It also simplifies the switching in of updated lists"
[/b]Install IPSET[/b]
Code: Select all
apt-get install ipset
CUSTOM CONFIGS: DOWNLOAD & ADD
The CSF configuation files reside in the directory /etc/csf
1. Download the custom config files attached to this post (below)
2. Extract the files (uncompress)
3. Copy the file "regex.custom.pm" to /usr/local/csf/bin/regex.custom.pm
4. Copy all the rest (incl. /ui/ui.allow) to /etc/csf directory
- alternately, you could copy/paste the text, and gain a better understanding.
CUSTOM CONFIGS: PERSONALISE
Include details specific to you:
1. Add your IP address or subnet/s to /etc/csf/ui/ui.allow
- only addresses in ui.allow are allowed access to UI login
2. Add your IP address or subnet/s to /etc/csf/csf.allow
- this should always allow you access
3. Add your IP address or trusted subnet/s to /etc/csf/csf.ignore
- this will prevent LFD from ever blocking you; take care as any address added to ignore, will never get blocked - add trusted IPs only!
4. Add a username and password, anything you like, you will be logging in to CSF UI using these details.
-- Open /etc/csf/csf.conf
-- Scroll down to SECTION:Integrated User Interface
-- Find the following 2 entries and edit to include your details:
Code: Select all
UI_USER = "ADD-Username-here"
UI_PASS = "ADD-PASSWORD-here"
The default access.log for Domains uses the client hostname - if available - in the first field; otherwise IP address is used. The hostname can be spoofed, so for our purposes it is preferable to use the IP address.
I decided to setup a CustomLog with the desired format, that would log access to any Domain. The only side effect noticed, is the Apache Status page in KeyHelp, now only shows IP addresses (no hostnames) - I can live with that. For more information on logging, see Guide Part 3 - Section: LOGS WATCHED.
This CustomLog is optional, highly recommended, and used to effectively block exploits on domains.
[/b]Create log[/b]
Create the log file, with correct owner/permissions:
Code: Select all
cd /var/log/apache2/keyhelp
touch ipaccess.log
chmod 640 ipaccess.log
chown root:adm ipaccess.log
As a bonus, KeyHelp rotates this log for us.
CustomLog to Apache settings
Next, we need to include in Apache settings our CustomLog directive.
Add the CustomLog directive (below) to "Apache settings", on each Domain you want to monitor.
KeyHelp > DOMAINS > Domains / Edit domain > Apache settings
# Additional Apache directives:
Code: Select all
<IfModule mod_logio.c>
CustomLog "${APACHE_LOG_DIR}/keyhelp/ipaccess.log" "%a %v %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O"
</IfModule>
RAINLOOP LOG
If you use Rainloop for Webmail, let's enable auth logging for it. This is to monitor Rainloop logins, and then block abusers.
Edit: /home/keyhelp/www/rainloop/data/_data_/_default_/configs/application.ini
Make these changes in application.ini:
Code: Select all
...
[logs]
; Enable logging
enable = On
...
;NOTE: Replace X with your timezone offset from GMT (+or-)
time_offset = "X"
...
; Enable auth logging in a separate file (for fail2ban)
auth_logging = On
auth_logging_filename = "webmail-auth.log"
As I remember, the webmail-auth.log will be created upon next Rainloop login attempt. Check to make sure, it resides at:
/home/keyhelp/www/rainloop/data/_data_/_default_/logs/webmail-auth.log
If not, just create it like we did the custom log:
Code: Select all
cd /home/keyhelp/www/rainloop/data/_data_/_default_/logs/
touch webmail-auth.log
chmod 644 webmail-auth.log
chown keyhelp:keyhelp webmail-auth.log
After an update, the file may change, you will be notified. Then Rainloop configs (application.ini) may need to be edited again as above. The webmail-auth.log remains untouched.
TESTING = "1"
Before we restart the services (to activate), CSF recommends to enable "Testing" mode, incase of configuration problems when you start CSF - in which case, just reboot. I never bother with this, but if you are cautious...
Edit: /etc/csf/csf.conf
Modify the first setting to:
Code: Select all
TESTING = "1"
Note: LFD will not start while testing is enabled.
When you are ready, go back to SET TESTING = "0"
ACTIVATE CONFIGS
Now the install and configs are done, let's make them active:
Code: Select all
service apache2 restart
service csf restart
service lfd restart
service lfd status
Code: Select all
root@host:~# service lfd status
● lfd.service - ConfigServer Firewall & Security - lfd
Loaded: loaded (/usr/lib/systemd/system/lfd.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2020-03-15 18:08:58 AEDT; 2s ago
Process: 5148 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)
Main PID: 5187 (lfd - sleeping)
Tasks: 2 (limit: 4660)
CGroup: /system.slice/lfd.service
├─5187 lfd - sleeping
└─5196 lfd UI
Mar 15 18:08:58 host.domain.com systemd[1]: Starting ConfigServer Firewall & Security - lfd...
Mar 15 18:08:58 host.domain.com systemd[1]: Started ConfigServer Firewall & Security - lfd.
Now go ahead and login to the UI, then take a look around.
ACCESS CSF UI
To login to CSF UI, enter into browser (replace "host.domain.com" with your hostname):
https://host.domain.com:8080
csf ui login
csf homepage
For more on UI usage, see Guide Part 3: Section: USING THE CSF USER INTERFACE (UI)
CLEAN UP
At anytime you feel happy, that everything works ok...
Disable fail2ban & KeyHelp firewall (recommended)
After full setup and testing, these should be disabled as they are no longer required, and may cause conflict.
CSF recommends "You should not run any other iptables firewall configuration script."
CSF also does the job of fail2ban, so it's now redundant.
Disable KeyHelp firewall
This is simple, and easily reversible.
1. Navigate to:
KeyHelp > SECURITY > Firewall
2. Click "Settings" button (top-right of page)
3. Uncheck the following setting:
Load on server startup [_] <--Uncheck
4. Click "Save"
- Next time the server boots, it won't be loaded.
Disable Fail2ban
One easy command:
Code: Select all
systemctl disable fail2ban
Edit: /etc/logrotate.d/fail2ban
- it contains a list of directives
1. Insert the following line to top of that list:
Code: Select all
notifempty
The top of the file, should look like this:
Code: Select all
/var/log/fail2ban.log {
notifempty
weekly
rotate 4
compress
...
Next:
In Part 3 Security Admin, we look at security administration, as related to CSF on a KeyHelp powered server. This includes CSF usage, UI, customisations, logs, regex, etc...
#############################
NEXT::: PART 3: SECURITY ADMIN
#############################