Last active
February 28, 2020 15:54
-
-
Save dkrusky/8a5a032caadccc2d847e to your computer and use it in GitHub Desktop.
Consolidates CSF paramaters into a single script which will download any required runtimes for your distro, detect and enable ipv6 firewall, and install and configure CSF. Tested on Debian and CentOS.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
CSF="/etc/csf/csf.conf" | |
# set the values as you wish them to be set in the running version of csf | |
RESTRICT_UI='2' | |
RESTRICT_SYSLOG='3' | |
LF_SPI='1' | |
TCP_IN='25,80,110,443,465,587,995,2083' | |
TCP_OUT='20,21,22,25,37,43,53,80,110,113,443,587,873,993,995,2086,2087,2089,2703' | |
UDP_IN='33434:33523' | |
UDP_OUT='20,21,53,113,123,873,6277,24441,33434:33523' | |
ICMP_IN='0' | |
ICMP_OUT='1' | |
TCP6_IN='' | |
TCP6_OUT='20,21,22,25,37,43,53,80,110,113,443,587,873,993,995,2086,2087,2089,2703' | |
UDP6_IN='' | |
UDP6_OUT='20,21,53,113,123,873,6277,24441' | |
IGNORE_ALLOW='0' | |
DENY_IP_LIMIT='200' | |
DENY_TEMP_IP_LIMIT='100' | |
LF_DAEMON='1' | |
LF_CSF='1' | |
FASTSTART='1' | |
LF_IPSET='1' | |
SMTP_BLOCK='1' | |
SMTP_ALLOWLOCAL='1' | |
SMTP_PORTS='25,465,587' | |
SYSLOG='0' | |
DROP='DROP' | |
DROP_LOGGING='1' | |
DROP_OUT_LOGGING='1' | |
DROP_NOLOG='67,68,111,113,135:139,445,500,513,520' | |
LF_PERMBLOCK='1' | |
LF_PERMBLOCK_INTERVAL='86400' | |
LF_PERMBLOCK_COUNT='4' | |
DYNDNS='300' | |
DYNDNS_IGNORE='1' | |
URLGET='2' | |
CC_DENY='AR,BE,CL,CN,CO,CS,ES,FR,GR,HK,IT,KO,PA,PE,PH,PL,RS,RU,SG,SK,TH,UA,VN,AE,AF,AL,AS,AZ,BA,BD,BF,BH,BJ,BN,CI,DJ,EG,EH,ER,ET,GM,GN,GW,IQ,IR,IS,JO,KG,KM,KW,KZ,LB,LY,MC,MK,ML,MR,MV,MY,NE,NG,OM,PK,PS,QA,SA,SD,SL,SN,SO,SY,TD,TJ,TM,TN,TR,UZ,XK,YE,YT' | |
CC_ALLOW='' | |
CC_LOOKUPS='1' | |
CC6_LOOKUPS='1' | |
LF_SSHD='1' | |
LF_SSHD_PERM='1' | |
LF_FTPD='1' | |
LF_FTPD_PERM='1' | |
LF_SMTPAUTH='3' | |
LF_SMTPAUTH_PERM='1' | |
LF_EXIMSYNTAX='10' | |
LF_EXIMSYNTAX_PERM='1' | |
LF_POP3D='10' | |
LF_POP3D_PERM='1' | |
LF_IMAPD='1' | |
LF_IMAPD_PERM='1' | |
LF_HTACCESS='5' | |
LF_HTACCESS_PERM='1' | |
LF_CPANEL='1' | |
LF_CPANEL_PERM='1' | |
UI='0' | |
UI_USER='username' | |
UI_PASS='password' | |
UI_CIPHER='ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH' | |
UI_SSL_VERSION='SSLv23:!SSLv3:!SSLv2' | |
MESSENGER='0' | |
# No changes below this line are necessary | |
TESTING='0' | |
DEBUG='0' | |
VERBOSE='0' | |
OS="UNKNOWN" | |
if [ -e "/usr/bin/lsb_release" ]; then | |
OS=$(/usr/bin/lsb_release -is) | |
APT="apt-get" | |
else | |
if [ -e "/etc/redhat-release" ]; then | |
OS=$(cat /etc/redhat-release | cut -d" " -f1) | |
APT="yum" | |
else | |
echo "This operating system is not supported" | |
exit; | |
fi | |
fi | |
while true; do | |
read -p "Do you wish to install and configure this system ? [y/n] " yn | |
case $yn in | |
[Yy]* ) break;; | |
[Nn]* ) exit;; | |
* ) echo "Please answer yes or no.";; | |
esac | |
done | |
$APT update -q | |
# Set firewall to enabled if IPv6 connectivity is found. | |
IPV6='0' | |
if [ "$APT" eq "yum" ]; then | |
$APT install ipset libwww-perl perl-IO-Socket-SSL perl-Net-SSLeay perl-GDGraph -q | |
if [ -e /sbin/ip6tables ]; then | |
if [ ! -z $(curl --connect-timeout 10 --ipv6 --retry 0 -Is https://my.microvb.com | head -n 1| awk -F '[: ]+' '{print $3}') ]; then | |
IPV6='1' | |
$APT install perl-IO-Socket-INET6 -q | |
fi | |
fi | |
else | |
$APT install ipset libwww-perl libio-socket-ssl-perl libnet-ssleay-perl libgd-graph-perl -q | |
if [ -e /sbin/ip6tables ]; then | |
if [ ! -z $(curl --connect-timeout 10 --ipv6 --retry 0 -Is https://my.microvb.com | head -n 1| awk -F '[: ]+' '{print $3}') ]; then | |
IPV6='1' | |
$APT install libio-socket-inet6-perl -q | |
fi | |
fi | |
fi | |
if [ ! -e $CSF ]; then | |
wget https://download.configserver.com/csf.tgz -q --show-progress | |
tar -xzf csf.tgz | |
rm -f csf.tgz | |
cd csf | |
while true; do | |
read -p "Would you like to install CSF ? [y/n] " yn | |
case $yn in | |
[Yy]* ) sh install.sh; break;; | |
[Nn]* ) exit;; | |
* ) echo "Please answer yes or no.";; | |
esac | |
done | |
fi | |
# Run perl test to see if CSF will run on the system | |
if [ ! -z $(/usr/bin/perl /usr/local/csf/bin/csftest.pl | grep FATAL) ]; then | |
/usr/bin/perl /usr/local/csf/bin/csftest.pl | |
echo "You should correct the above errors, then run this setup again" | |
exit; | |
fi | |
# disable ufw if installed | |
if [ ! -d /etc/ufw ]; then | |
ufw disable | |
fi | |
# run csf's remove scrtipt get rid of apf or bfd if installed | |
/usr/local/csf/bin/remove_apf_bfd.sh | |
while true; do | |
read -p "Would you like to automatically configure CSF ? [y/n] " yn | |
case $yn in | |
[Yy]* ) echo "Setting up CSF firewall using the parameters assigned in this file..." | |
if [ -e "$CSF" ]; then | |
sed -i -E ' | |
s/^(TESTING *= *\")[^\"]*/\1'"$TESTING"'/g | |
s/^(RESTRICT_UI *= *\")[^\"]*/\1'"$RESTRICT_UI"'/g | |
s/^(RESTRICT_SYSLOG *= *\")[^\"]*/\1'"$RESTRICT_SYSLOG"'/g | |
s/^(LF_SPI *= *\")[^\"]*/\1'"$LF_SPI"'/g | |
s/^(TCP_IN *= *\")[^\"]*/\1'"$TCP_IN"'/g | |
s/^(TCP_OUT *= *\")[^\"]*/\1'"$TCP_OUT"'/g | |
s/^(UDP_IN *= *\")[^\"]*/\1'"$UDP_IN"'/g | |
s/^(UDP_OUT *= *\")[^\"]*/\1'"$UDP_OUT"'/g | |
s/^(ICMP_IN *= *\")[^\"]*/\1'"$ICMP_IN"'/g | |
s/^(ICMP_OUT *= *\")[^\"]*/\1'"$ICMP_OUT"'/g | |
s/^(IPV6 *= *\")[^\"]*/\1'"$IPV6"'/g | |
s/^(TCP6_IN *= *\")[^\"]*/\1'"$TCP6_IN"'/g | |
s/^(TCP6_OUT *= *\")[^\"]*/\1'"$TCP6_OUT"'/g | |
s/^(UDP6_IN *= *\")[^\"]*/\1'"$UDP6_IN"'/g | |
s/^(UDP6_OUT *= *\")[^\"]*/\1'"$UDP6_OUT"'/g | |
s/^(IGNORE_ALLOW *= *\")[^\"]*/\1'"$IGNORE_ALLOW"'/g | |
s/^(DENY_IP_LIMIT *= *\")[^\"]*/\1'"$DENY_IP_LIMIT"'/g | |
s/^(DENY_TEMP_IP_LIMIT *= *\")[^\"]*/\1'"$DENY_TEMP_IP_LIMIT"'/g | |
s/^(LF_DAEMON *= *\")[^\"]*/\1'"$LF_DAEMON"'/g | |
s/^(LF_CSF *= *\")[^\"]*/\1'"$LF_CSF"'/g | |
s/^(FASTSTART *= *\")[^\"]*/\1'"$FASTSTART"'/g | |
s/^(LF_IPSET *= *\")[^\"]*/\1'"$LF_IPSET"'/g | |
s/^(VERBOSE *= *\")[^\"]*/\1'"$VERBOSE"'/g | |
s/^(SMTP_BLOCK *= *\")[^\"]*/\1'"$SMTP_BLOCK"'/g | |
s/^(SMTP_ALLOWLOCAL *= *\")[^\"]*/\1'"$SMTP_ALLOWLOCAL"'/g | |
s/^(SMTP_PORTS *= *\")[^\"]*/\1'"$SMTP_PORTS"'/g | |
s/^(SYSLOG *= *\")[^\"]*/\1'"$SYSLOG"'/g | |
s/^(DROP *= *\")[^\"]*/\1'"$DROP"'/g | |
s/^(DROP_LOGGING *= *\")[^\"]*/\1'"$DROP_LOGGING"'/g | |
s/^(DROP_OUT_LOGGING *= *\")[^\"]*/\1'"$DROP_OUT_LOGGING"'/g | |
s/^(DROP_NOLOG *= *\")[^\"]*/\1'"$DROP_NOLOG"'/g | |
s/^(LF_PERMBLOCK *= *\")[^\"]*/\1'"$LF_PERMBLOCK"'/g | |
s/^(LF_PERMBLOCK_INTERVAL *= *\")[^\"]*/\1'"$LF_PERMBLOCK_INTERVAL"'/g | |
s/^(LF_PERMBLOCK_COUNT *= *\")[^\"]*/\1'"$LF_PERMBLOCK_COUNT"'/g | |
s/^(DYNDNS *= *\")[^\"]*/\1'"$DYNDNS"'/g | |
s/^(DYNDNS_IGNORE *= *\")[^\"]*/\1'"$DYNDNS_IGNORE"'/g | |
s/^(URLGET *= *\")[^\"]*/\1'"$URLGET"'/g | |
s/^(CC_DENY *= *\")[^\"]*/\1'"$CC_DENY"'/g | |
s/^(CC_ALLOW *= *\")[^\"]*/\1'"$CC_ALLOW"'/g | |
s/^(CC_LOOKUPS *= *\")[^\"]*/\1'"$CC_LOOKUPS"'/g | |
s/^(CC6_LOOKUPS *= *\")[^\"]*/\1'"$CC6_LOOKUPS"'/g | |
s/^(LF_SSHD *= *\")[^\"]*/\1'"$LF_SSHD"'/g | |
s/^(LF_SSHD_PERM *= *\")[^\"]*/\1'"$LF_SSHD_PERM"'/g | |
s/^(LF_FTPD *= *\")[^\"]*/\1'"$LF_FTPD"'/g | |
s/^(LF_FTPD_PERM *= *\")[^\"]*/\1'"$LF_FTPD_PERM"'/g | |
s/^(LF_SMTPAUTH *= *\")[^\"]*/\1'"$LF_SMTPAUTH"'/g | |
s/^(LF_SMTPAUTH_PERM *= *\")[^\"]*/\1'"$LF_SMTPAUTH_PERM"'/g | |
s/^(LF_EXIMSYNTAX *= *\")[^\"]*/\1'"$LF_EXIMSYNTAX"'/g | |
s/^(LF_EXIMSYNTAX_PERM *= *\")[^\"]*/\1'"$LF_EXIMSYNTAX_PERM"'/g | |
s/^(LF_POP3D *= *\")[^\"]*/\1'"$LF_POP3D"'/g | |
s/^(LF_POP3D_PERM *= *\")[^\"]*/\1'"$LF_POP3D_PERM"'/g | |
s/^(LF_IMAPD *= *\")[^\"]*/\1'"$LF_IMAPD"'/g | |
s/^(LF_IMAPD_PERM *= *\")[^\"]*/\1'"$LF_IMAPD_PERM"'/g | |
s/^(LF_HTACCESS *= *\")[^\"]*/\1'"$LF_HTACCESS"'/g | |
s/^(LF_HTACCESS_PERM *= *\")[^\"]*/\1'"$LF_HTACCESS_PERM"'/g | |
s/^(LF_CPANEL *= *\")[^\"]*/\1'"$LF_CPANEL"'/g | |
s/^(LF_CPANEL_PERM *= *\")[^\"]*/\1'"$LF_CPANEL_PERM"'/g | |
s/^(UI *= *\")[^\"]*/\1'"$UI"'/g | |
s/^(UI_USER *= *\")[^\"]*/\1'"$UI_USER"'/g | |
s/^(UI_PASS *= *\")[^\"]*/\1'"$UI_PASS"'/g | |
s/^(UI_CIPHER *= *\")[^\"]*/\1'"$UI_CIPHER"'/g | |
s/^(UI_SSL_VERSION *= *\")[^\"]*/\1'"$UI_SSL_VERSION"'/g | |
s/^(MESSENGER *= *\")[^\"]*/\1'"$MESSENGER"'/g | |
s/^(DEBUG *= *\")[^\"]*/\1'"$DEBUG"'/g | |
' $CSF | |
fi | |
break;; | |
[Nn]* ) exit;; | |
* ) echo "Please answer yes or no.";; | |
esac | |
done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment