Archive for October 2, 2010

Lxadmin_安装CSF防火墙_应对DDOS攻击

ena,下载与安装
01.cd /usr/local/src

02.wget http://www.configserver.com/free/csf.tgz

03.tar -zxvf csf.tgz

04.cd csf

05../install.sh
CSF的配置
要HypeVm和lxadmin的正常使用需添加777*,888*和5558端口的支持
1,配置端口(/etc/csf/csf.conf)
增加TCP端口支持(HypeVm和Lxadmin需要):7776,7777,7778,7779,8886,8887,8888,8889,5558

# Allow incoming TCP ports
TCP_IN = “20,21,22,25,53,80,110,143,443,465,587,993,995,7776,7777,7778,7779,8886,8887,8888,8889,5558”

# Allow outgoing TCP ports
TCP_OUT = “20,21,22,25,53,80,110,113,443,7776,7777,7778,7779,8886,8887,8888,8889,5558”

2,打开MONOLITHIC_KERNEL支持(/etc/csf/csf.conf)

01.# One example is if the ip_conntrack and ip_conntrack_ftp iptables kernel

02.# modules are not available. If this happens, FTP passive mode (PASV) won’t

03.# work. In such circumstances you will have to open a hole in your firewall and

04.# configure the FTP daemon to use that same hole. For example, with pure-ftpd

05.# you could add the port range 30000:35000 to TCP_IN and add the following line

06.# to /etc/pure-ftpd.conf (without the leading #):

07.# PassivePortRange 30000 35000

08.# Then restart pure-ftpd and csf and passive FTP should then work

09.MONOLITHIC_KERNEL = “1”

3,如果你要能ping同你的HyperVm服务器需设置(/etc/csf/csf.conf)

01.# Allow incoming PING

02.ICMP_IN = “1”.

4,如果你使用的是OpenVz虚拟化技术你需要添加以下语句到您的/etc/csf/csfpre.sh文件
01.iptables -A INPUT -i venet0 -j ACCEPT

02.iptables -A OUTPUT -o venet0 -j ACCEPT

03.iptables -A FORWARD -j ACCEPT -p all -s 0/0 -i venet0

04.iptables -A FORWARD -j ACCEPT -p all -s 0/0 -o venet0

注意1:/etc/csf/csfpre.sh可能不存在你需要新建它CSF每次运行的时候都会执行这个文件的

测试CSF
01.service csf start

如果可以了的话请关闭测试功能(配置/etc/csf/csf.conf)
01.# Testing flagenables a CRON job that clears iptables incase of

02.# configuration problems when you start csf. This should be enabled until you

03.# are sure that the firewall worksi.e. incase you get locked out of your

04.# server! Then do remember to set it to 0 and restart csf when you’re sure

05.# everything is OK. Stopping csf will remove the line from /etc/crontab

06.TESTING = “0”

重启CSF
01.service csf restart

高级配置(配置/etc/csf/csf.conf)
你可以关闭进程和用户进程跟踪
01.PT_USERTIME = “0”

02.PT_LIMIT = “0”

03.PT_USERPROC = “0”

Komentarji