Yadda ake Sanya Config Server Firewall (CSF) akan Debian/Ubuntu


ConfigServer da Tsaro Firewall, wanda aka gajarta a matsayin CSF, buɗaɗɗen tushe ne kuma babban bangon wuta wanda aka tsara don tsarin Linux. Ba wai kawai yana ba da ainihin aikin tacewar zaɓi ba amma kuma yana ba da fa'idodi masu yawa na ƙari kamar gano shiga/kutse, bincikar amfani, ping na kariyar mutuwa da ƙari mai yawa.

Hakanan kuna iya son: 10 Fayilolin Tsaro na Tsaro na Buɗewa don Tsarin Linux.

Hakanan, yana ba da haɗin kai na UI don gidan yanar gizon hukuma na ConfigServer.

A cikin wannan jagorar, za mu bi ku ta hanyar shigarwa da daidaitawa na ConfigServer Security & Firewall (CSF) akan Debian da Ubuntu.

Mataki 1: Sanya CSF Firewall akan Debian da Ubuntu

Da farko, kuna buƙatar shigar da wasu abubuwan dogaro kafin ku fara farawa tare da shigar da Tacewar zaɓi na CSF. A kan tashar ku, sabunta fihirisar fakitin:

$ sudo apt update

Na gaba, shigar da abubuwan dogaro kamar yadda aka nuna:

$ sudo apt install wget libio-socket-ssl-perl git perl iptables libnet-libidn-perl libcrypt-ssleay-perl  libio-socket-inet6-perl libsocket6-perl sendmail dnsutils unzip

Tare da wannan daga hanya, yanzu za ku iya ci gaba zuwa mataki na gaba.

Tun da ba a haɗa CSF a cikin tsoffin wuraren ajiyar Debian da Ubuntu ba, kuna buƙatar shigar da shi da hannu. Don ci gaba, zazzage fayil ɗin tarball CSF wanda ya ƙunshi duk fayilolin shigarwa ta amfani da umarnin wget mai zuwa.

$ wget http://download.configserver.com/csf.tgz

Wannan yana sauke fayil ɗin da aka matsa mai suna csf.tgz.

Na gaba, cire fayil ɗin da aka matsa.

$ tar -xvzf csf.tgz

Wannan yana ƙirƙirar babban fayil mai suna csf.

$ ls -l

Na gaba, kewaya cikin babban fayil ɗin csf.

$ cd csf

Sannan shigar da CSF Firewall ta hanyar gudanar da rubutun shigarwa da aka nuna.

$ sudo bash install.sh

Idan komai ya tafi daidai, yakamata ku sami fitarwa kamar yadda aka nuna.

A wannan gaba, an shigar da CSF. Koyaya, kuna buƙatar tabbatar da cewa an ɗora wa iptables ɗin da ake buƙata. Don cimma wannan, gudanar da umarni:

$ sudo perl /usr/local/csf/bin/csftest.pl

Mataki 2: Sanya CSF Firewall akan Debian da Ubuntu

Ana buƙatar wasu ƙarin saiti na gaba gaba, muna buƙatar canza wasu saitunan don kunna CSF. Don haka, kan gaba zuwa fayil ɗin sanyi na csf.conf.

$ sudo nano /etc/csf/csf.conf

Shirya umarnin gwaji daga 1 zuwa 0 kamar yadda aka nuna a ƙasa.

TESTING = "0"

Bayan haka, saita umarnin RESTRICT_SYSLOG zuwa 3 don taƙaita damar rsyslog/syslog ga membobin RESTRICT_SYSLOG_GROUP kawai.

RESTRICT_SYSLOG = "3"

Bayan haka, zaku iya buɗe tashoshin TCP da UDP ta hanyar gano umarnin TCP_IN, TCP_OUT, UDP_IN, da UDP_OUT.

Ta hanyar tsoho, ana buɗe tashoshin jiragen ruwa masu zuwa.

TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"

TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995"

UDP_IN = "20,21,53,80,443"

UDP_OUT = "20,21,53,113,123"

Damar shine cewa ba kwa buƙatar duk waɗannan tashoshin jiragen ruwa da aka buɗe, kuma mafi kyawun ayyukan uwar garken suna buƙatar ku buɗe tashoshin jiragen ruwa da kuke amfani da su kawai. Muna ba da shawarar cewa ku cire duk tashoshin jiragen ruwa marasa mahimmanci kuma ku bar waɗanda ayyukan da ke gudana akan tsarin ku ke amfani da su.

Da zarar kun gama tantance tashoshin jiragen ruwa da kuke buƙata, sake shigar da CSF kamar yadda aka nuna.

$ sudo csf -r

Don jera duk ƙa'idodin tebur na IP da aka ayyana akan sabar, gudanar da umarni:

$ sudo csf -l

Kuna iya farawa da kunna Tacewar zaɓi na CSF akan farawa kamar haka:

$ sudo systemctl start csf
$ sudo systemctl enable csf

Sannan tabbatar da cewa lallai Firewall yana gudana:

$ sudo systemctl status csf

Mataki na 3: Toshewa da Ba da izinin Adireshin IP a cikin Wuta ta CSF

Ɗaya daga cikin mahimman ayyukan tacewar zaɓi shine ikon ba da izini ko toshe adiresoshin IP daga shiga uwar garken. Tare da CSF, zaku iya ba da izini (ba da izini), jerin baƙaƙe (ƙi) ko watsi da adiresoshin IP ta hanyar gyara fayilolin sanyi masu zuwa:

  • csf.allow
  • csf. ƙaryata
  • csf. watsi

Don toshe adireshin IP, kawai isa ga fayil ɗin sanyi na csf.deny.

$ sudo nano /etc/csf/csf.deny

Sannan saka adireshin IP ɗin da kuke son toshewa. Kuna iya ƙayyade layin adiresoshin IP ta layi kamar yadda aka nuna:

192.168.100.50
192.168.100.120

Ko za ku iya amfani da bayanin CIDR don toshe duk rukunin yanar gizo.

192.168.100.0/24

Don ba da damar adireshin IP ta hanyar Iptables da keɓe shi daga duk masu tacewa ko tubalan, shirya fayil ɗin sanyi na csf.allow.

$ sudo nano /etc/csf/csf.allow

Kuna iya jera adireshin IP akan kowane layi, ko amfani da adireshin CIDR kamar yadda aka nuna a baya lokacin toshe IPs.

NOTE: Za a ba da izinin adireshin IP koda lokacin da aka bayyana shi a sarari a cikin fayil ɗin sanyi na csf.deny. Don tabbatar da cewa an katange adireshin IP ko baƙaƙe, tabbatar da cewa ba a jera shi a cikin fayil ɗin csf.allow ba.

Bugu da ƙari, CSF tana ba ku damar keɓance adireshin IP daga IPtables ko masu tacewa. Duk wani adireshin IP a cikin fayil ɗin csf.ignore za a keɓe shi daga matatun iptables. Ana iya toshe shi kawai idan an ƙayyade a cikin fayil ɗin csf.deny.

Don keɓanta adireshin IP daga masu tacewa, shiga cikin fayil ɗin csf.ignore.

$ sudo nano /etc/csf/csf.ignore

Hakanan, zaku iya jera layin IPs ta layi ko amfani da bayanin CIDR.

Kuma wannan ya ƙunshi jagoranmu a yau. Muna fatan za ku iya shigar yanzu da kuma daidaita tacewar ta CSF ba tare da tsangwama ba.