配置csf防火墙

启动lfd时报错:

[root@jump1-iuap-hb2-ali system]# systemctl restart csf

[root@jump1-iuap-hb2-ali system]# systemctl restart lfd

Job for lfd.service failed because a configured resource limit was exceeded. See “systemctl status lfd.service” and “journalctl -xe” for details.

解决:

编辑/etc/csf/csf.conf, 将下面改为0:

PT_USERMEM = “0″

配置csf 为openvpn:

参考: https://www.grumpyland.com/blog/238/making-csf-work-with-openvpn/

        vim /etc/csf/csfpre.sh

iptables -A FORWARD -m state –state RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT

iptables -A FORWARD -j REJECT

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

iptables -t nat -A POSTROUTING -j SNAT –to-source 10.3.15.206

TCP_IN = “20,21,22,25,53,80,110,143,443,465,587,993,995,4728,1194,8899,81″

Login to WHM-cPanel configuration via WHM

1. WHM

2. Plugins

3. ConfigServer Security & Firewall

4. Firewall Configuration)

“OR”

1. Login via SSH

# vi /etc/csf/csf.conf

What you are looking for is “CC_ALLOW_FILTER“

First, you will want to get a list of ISO Country Codes to allow.

http://www.countryipblocks.net/country-blocks/ “OR”

http://www.ipdeny.com/ipblocks/ “OR”

For example, if you only wanted United States, Canada, Great Britian, Australia, and Mexico to be whitelisted, you would specify:

US,CA,GB,AU,MX

What this will do is download a list of IP ranges belonging to those countries, then add them to a whitelist, and deny everything else, that is, deny all other countries’ IP ranges. So, India will not be able to connect to your server, Russia will not be able to connect, etc..

Once you have change this in your configuration, don’t forget to restart your firewall to apply the new configuration.

防止DDOS攻击:

PORTFLOOD = “22;tcp;5;300,4728;tcp;5;300,80;tcp;20;5,443;tcp;20;5,1194;tcp;20;5”

解释: # 1)，如果300秒内有5个以上连接到tcp端口22的连接，则至少在发现最后一个数据包300秒后阻止该IP地址访问端口22，即在该阻>止被取消前有300秒的”安静” 期。
#
# 2)， 如果5秒内有20个以上连接到tcp端口80的连接，则至少在发现最后一个数据包5秒后阻止该IP地址访问端口80，即在该阻止>被取消前有5秒的”安静” 期