November 5th 2018 update: I’ve updated this article (the install URL and other minor fixes/improvements). I replaced Cloudflare and thus also Cloudflare Argo with KeyCDN + local firewall and server hardening for this blog as of June 2018. However, do support clients who use Cloudflare and still highly recommend it.

2017 update: With the recent Cloudflare “Cloudbleed” data leak. You may be considering removing Cloudflare. This article (originally published 3 years ago) has been updated and tested. Personally, I will be keeping Cloudflare. Please follow the URLs included at the end of this blog post for further details on this issue. A lot of Personally identifiable information (PII) is cached by Cloudflare so its recommended that everyone take immediate action and change passwords on all sites that are running behind CloudFlare. At the end of the day it is always a good idea to change your passwords and change them often.

2016 update: Cloudflare has matured and grown a lot over the past 3 years. I highly recommend sticking with Cloudflare and using CSF to compliment Cloudflare’s HTTP security. You’ll benefit from their global CDN, free SSL certificates, caching and more. I’m currently using Cloudflare’s Pro plan and also full page caching along with CSF.

The founders of Cloudflare previously worked on the Project Honey Pot –> [ Update: Looks like Cloudflare removed mention of Project Honey Pot, can be read here using the web archive ]. You can read more about installing CSF + Project Honey Pot below.

Cloudflare is great when setup correctly, however its nice to have an alternative for those who prefer to control server security without an offsite reverse proxy. As such, this is a quick guide on how to install and configure CSF (Firewall), its security plugin LFD (Login Failure Daemon) and how to setup similar – albeit less sophisticated – IP filtering/blocking used by CloudFlare. This guide applies to standalone CSF/LFD install and also cPanel + CSF/LFD install.

Installing CSF (ConfigServer Firewall)

CSF is a top notch server firewall with many configuration options, but is simple enough to install and configure that you can have it running in just a few minutes. This is simple as downloading the source file to your server then installing it. CSF can be installed with cPanel/WHM integration or just regular install. The first few installation steps are the same whether it is a cPanel server or a non-cPanel server.

Create or go to a temporary directory (/tmp or /home/tmp) for example (optional):

mkdir /home/tmp cd /home/tmp

Next use ‘wget’ to retrieve CSF install code:

wget https://download.configserver.com/csf.tgz

Now decompress the CSF install files and change directories to the newly created ‘csf’ directory:

tar zxf csf.tgz cd csf

Ok, here is where the cPanel server vs non-cPanel server install differs. If you’re using cPanel then install with:

./install.cpanel.sh

If not, you should install with:

./install.sh

Read the output of the script as it installs. Once complete, you should see something similar to the following:

Don't forget to: 1. Configure the TCP_IN, TCP_OUT, UDP_IN and UDP_OUT options in the csf configuration to suite your server 2. Restart csf and lfd 3. Set TESTING to 0 once you're happy with the firewall Adding current SSH session IP address to the csf whitelist in csf.allow: Adding x.x.x.x to csf.allow only while in TESTING mode (not iptables ACCEPT) *WARNING* TESTING mode is enabled - do not forget to disable it in the configuration Installation Completed

Not that both CSF and LFD has been installed (in TESTING mode).

To start CSF, use:

csf -s

If the service starts without error, make sure to take CSF out of testing mode by changing the setting in csf.conf. To do this, edit the configuration with your favorite editor (or via cPanel “Firewall Configuration” option):

vim /etc/csf/csf.conf

then change…

TESTING = "1"

to

TESTING = "0"

Restart CSF to fully enable…

csf -r

Congratulations! You’ve just installed CSF Firewall!

CSF (ConfigServer Firewall) command line shortcuts

csf Option Meaning -h, --help Show this message -l, --status List/Show iptables configuration -s, --start Start firewall rules -f, --stop Flush/Stop firewall rules -r, --restart Restart firewall rules -a, --add ip Add an IP address to be whitelisted to /etc/csf.allow -d, --deny ip Add an IP address to be blocked to /etc/csf.deny -dr, --denyrm ip Remove and unblock an IP address in /etc/csf.deny -c, --check Checks for updates to csf+lfd but does not perform an upgrade -g, --grep ip Search the iptables rules for an IP match (incl. CIDR) -t, --temp Displays the current list of temporary IP bans and their TTL -tr, --temprm ip Remove an IP address from the temporary IP ban list -td, --tempdeny ip ttl [-p port] [-d direction] Add an IP address to the temporary IP ban list. ttl is how long to blocks for in seconds. Optional port. Optional direction of block can be one of in, out or inout. Default is in -tf, --tempf Flush all IP addresses from the temporary IP ban list -u, --update Checks for updates to csf+lfd and performs an upgrade if available -x, --disable Disable csf and lfd -e, --enable Enable csf and lfd if previously disabled -v, --version Show csf version

For example to block an IP use: csf -d IPADDRESS

You can read about and fine-tune all settings by editing /etc/csf/csf.conf.

For cPanel you can edit from WHM under the “Plugins” area.

Also see: http://configserver.com/cp/csf.html

Using CSF as Cloudflare replacement

Cloudflare blocks a lot of IPs even before they hit your website/server. This is done via IP lists. For example Project Honey Pot, the Web’s Largest Community Tracking Online Fraud & Abuse project. They provide regularly updated IP block lists.

CSF IP Block Lists – This feature allows csf/lfd to periodically download lists of IP addresses and CIDRs from published block or black lists. It is controlled by the file: /etc/csf/csf.blocklists. The IP Block lists can also be configured via cPanel.

Simply uncomment the line starting with the rule name to use it (read instructions at the top of the csf.blocklists file), then restart csf/lfd.

The blocklists that can be enabled include:

Spamhaus DShield TOR BOGON Project Honeypot BruteForceBlocker Emerging Threats – Russian Business Networks List OpenBL.org 30 day List Autoshun Shun List MaxMind GeoIP Anonymous Proxies C.I. Army Malicious IP List



IMPORTANT: Some of these lists can be very long – thousands of IP addresses – and could cause serious network and/or performance issues, so I recommend that you set a value for the MAX field.

Each URL is scanned for an IPv4/CIDR address per line and if found is blocked… up to the max # of IPs you choose.

Here’s what my file looks like:

############################################################################### # Copyright 2006-2013, Way to the Web Limited # URL: http://www.configserver.com ############################################################################### # This file contains definitions to IP BLOCK lists. # # Uncomment the line starting with the rule name to use it, then restart csf # and then lfd # # Each block list must be listed on per line: as NAME|INTERVAL|MAX|URL # NAME : List name with all uppercase alphabetic characters with no # spaces and a maximum of 9 characters - this will be used as the # iptables chain name # INTERVAL: Refresh interval to download the list, must be a minimum of 3600 # seconds (an hour), but 86400 (a day) should be more than enough # MAX : This is the maximum number of IP addresses to use from the list, # a value of 0 means all IPs # URL : The URL to download the list from # # Note: Some of thsese lists are very long (thousands of IP addresses) and # could cause serious network and/or performance issues, so setting a value for # the MAX field should be considered # # After making any changes to this file you must restart csf and then lfd # # If you want to redownload a blocklist you must first delete # /etc/csf/csf.block.NAME and then restart csf and then lfd # # Each URL is scanned for an IPv4/CIDR address per line and if found is blocked # Spamhaus Don't Route Or Peer List (DROP) # Details: http://www.spamhaus.org/drop/ SPAMDROP|86400|100|http://www.spamhaus.org/drop/drop.lasso # Spamhaus Extended DROP List (EDROP) # Details: http://www.spamhaus.org/drop/ SPAMEDROP|86400|100|http://www.spamhaus.org/drop/edrop.lasso # DShield.org Recommended Block List # Details: http://dshield.org DSHIELD|86400|100|http://feeds.dshield.org/block.txt # TOR Exit Nodes # Details: https://trac.torproject.org/projects/tor/wiki/doc/TorDNSExitList TOR|86400|100|http://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1 # BOGON list # Details: http://www.team-cymru.org/Services/Bogons/ BOGON|86400|100|http://www.cymru.com/Documents/bogon-bn-agg.txt # Project Honey Pot Directory of Dictionary Attacker IPs # Details: http://www.projecthoneypot.org HONEYPOT|86400|100|http://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1 # C.I. Army Malicious IP List # Details: http://www.ciarmy.com CIARMY|86400|100|http://www.ciarmy.com/list/ci-badguys.txt # BruteForceBlocker IP List # Details: http://danger.rulez.sk/index.php/bruteforceblocker/ BFB|86400|100|http://danger.rulez.sk/projects/bruteforceblocker/blist.php # Emerging Threats - Russian Business Networks List # Details: http://doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork RBN|86400|100|http://rules.emergingthreats.net/blockrules/rbn-ips.txt # OpenBL.org 30 day List # Details: http://www.openbl.org OPENBL|86400|100|http://www.us.openbl.org/lists/base_30days.txt # Autoshun Shun List # Details: http://www.autoshun.org/ AUTOSHUN|86400|100|http://www.autoshun.org/files/shunlist.csv # MaxMind GeoIP Anonymous Proxies # Details: http://www.maxmind.com/en/anonymous_proxies MAXMIND|86400|100|http://www.maxmind.com/en/anonymous_proxies

For added security you’ll need other tools and/or services, for example ModSecurity or instead of CSF +LFD, use APF + BFD, etc. Also, CSF does not improve your page load speed, lower server load, provide CDN or any of the many Cloudflare specific features. Still, if for some reason you don’t want Cloudflare in front of your server’s traffic, then this is an alternative starting point.

Enjoy!