Skip to content

Instantly share code, notes, and snippets.

@dkrusky

dkrusky/install-and-secure-linux-with-csf.sh

Last active February 28, 2020 15:54
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save dkrusky/8a5a032caadccc2d847e to your computer and use it in GitHub Desktop.
Save dkrusky/8a5a032caadccc2d847e to your computer and use it in GitHub Desktop.
Download ZIP
Consolidates CSF paramaters into a single script which will download any required runtimes for your distro, detect and enable ipv6 firewall, and install and configure CSF. Tested on Debian and CentOS.
Raw
install-and-secure-linux-with-csf.sh
#!/bin/sh
CSF="/etc/csf/csf.conf"
# set the values as you wish them to be set in the running version of csf
RESTRICT_UI='2'
RESTRICT_SYSLOG='3'
LF_SPI='1'
TCP_IN='25,80,110,443,465,587,995,2083'
TCP_OUT='20,21,22,25,37,43,53,80,110,113,443,587,873,993,995,2086,2087,2089,2703'
UDP_IN='33434:33523'
UDP_OUT='20,21,53,113,123,873,6277,24441,33434:33523'
ICMP_IN='0'
ICMP_OUT='1'
TCP6_IN=''
TCP6_OUT='20,21,22,25,37,43,53,80,110,113,443,587,873,993,995,2086,2087,2089,2703'
UDP6_IN=''
UDP6_OUT='20,21,53,113,123,873,6277,24441'
IGNORE_ALLOW='0'
DENY_IP_LIMIT='200'
DENY_TEMP_IP_LIMIT='100'
LF_DAEMON='1'
LF_CSF='1'
FASTSTART='1'
LF_IPSET='1'
SMTP_BLOCK='1'
SMTP_ALLOWLOCAL='1'
SMTP_PORTS='25,465,587'
SYSLOG='0'
DROP='DROP'
DROP_LOGGING='1'
DROP_OUT_LOGGING='1'
DROP_NOLOG='67,68,111,113,135:139,445,500,513,520'
LF_PERMBLOCK='1'
LF_PERMBLOCK_INTERVAL='86400'
LF_PERMBLOCK_COUNT='4'
DYNDNS='300'
DYNDNS_IGNORE='1'
URLGET='2'
CC_DENY='AR,BE,CL,CN,CO,CS,ES,FR,GR,HK,IT,KO,PA,PE,PH,PL,RS,RU,SG,SK,TH,UA,VN,AE,AF,AL,AS,AZ,BA,BD,BF,BH,BJ,BN,CI,DJ,EG,EH,ER,ET,GM,GN,GW,IQ,IR,IS,JO,KG,KM,KW,KZ,LB,LY,MC,MK,ML,MR,MV,MY,NE,NG,OM,PK,PS,QA,SA,SD,SL,SN,SO,SY,TD,TJ,TM,TN,TR,UZ,XK,YE,YT'
CC_ALLOW=''
CC_LOOKUPS='1'
CC6_LOOKUPS='1'
LF_SSHD='1'
LF_SSHD_PERM='1'
LF_FTPD='1'
LF_FTPD_PERM='1'
LF_SMTPAUTH='3'
LF_SMTPAUTH_PERM='1'
LF_EXIMSYNTAX='10'
LF_EXIMSYNTAX_PERM='1'
LF_POP3D='10'
LF_POP3D_PERM='1'
LF_IMAPD='1'
LF_IMAPD_PERM='1'
LF_HTACCESS='5'
LF_HTACCESS_PERM='1'
LF_CPANEL='1'
LF_CPANEL_PERM='1'
UI='0'
UI_USER='username'
UI_PASS='password'
UI_CIPHER='ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH'
UI_SSL_VERSION='SSLv23:!SSLv3:!SSLv2'
MESSENGER='0'
# No changes below this line are necessary
TESTING='0'
DEBUG='0'
VERBOSE='0'
OS="UNKNOWN"
if [ -e "/usr/bin/lsb_release" ]; then
OS=$(/usr/bin/lsb_release -is)
APT="apt-get"
else
if [ -e "/etc/redhat-release" ]; then
OS=$(cat /etc/redhat-release | cut -d" " -f1)
APT="yum"
else
echo "This operating system is not supported"
exit;
fi
fi
while true; do
read -p "Do you wish to install and configure this system ? [y/n] " yn
case $yn in
[Yy]* ) break;;
[Nn]* ) exit;;
* ) echo "Please answer yes or no.";;
esac
done
$APT update -q
# Set firewall to enabled if IPv6 connectivity is found.
IPV6='0'
if [ "$APT" eq "yum" ]; then
$APT install ipset libwww-perl perl-IO-Socket-SSL perl-Net-SSLeay perl-GDGraph -q
if [ -e /sbin/ip6tables ]; then
if [ ! -z $(curl --connect-timeout 10 --ipv6 --retry 0 -Is https://my.microvb.com | head -n 1| awk -F '[: ]+' '{print $3}') ]; then
IPV6='1'
$APT install perl-IO-Socket-INET6 -q
fi
fi
else
$APT install ipset libwww-perl libio-socket-ssl-perl libnet-ssleay-perl libgd-graph-perl -q
if [ -e /sbin/ip6tables ]; then
if [ ! -z $(curl --connect-timeout 10 --ipv6 --retry 0 -Is https://my.microvb.com | head -n 1| awk -F '[: ]+' '{print $3}') ]; then
IPV6='1'
$APT install libio-socket-inet6-perl -q
fi
fi
fi
if [ ! -e $CSF ]; then
wget https://download.configserver.com/csf.tgz -q --show-progress
tar -xzf csf.tgz
rm -f csf.tgz
cd csf
while true; do
read -p "Would you like to install CSF ? [y/n] " yn
case $yn in
[Yy]* ) sh install.sh; break;;
[Nn]* ) exit;;
* ) echo "Please answer yes or no.";;
esac
done
fi
# Run perl test to see if CSF will run on the system
if [ ! -z $(/usr/bin/perl /usr/local/csf/bin/csftest.pl | grep FATAL) ]; then
/usr/bin/perl /usr/local/csf/bin/csftest.pl
echo "You should correct the above errors, then run this setup again"
exit;
fi
# disable ufw if installed
if [ ! -d /etc/ufw ]; then
ufw disable
fi
# run csf's remove scrtipt get rid of apf or bfd if installed
/usr/local/csf/bin/remove_apf_bfd.sh
while true; do
read -p "Would you like to automatically configure CSF ? [y/n] " yn
case $yn in
[Yy]* ) echo "Setting up CSF firewall using the parameters assigned in this file..."
if [ -e "$CSF" ]; then
sed -i -E '
s/^(TESTING *= *\")[^\"]*/\1'"$TESTING"'/g
s/^(RESTRICT_UI *= *\")[^\"]*/\1'"$RESTRICT_UI"'/g
s/^(RESTRICT_SYSLOG *= *\")[^\"]*/\1'"$RESTRICT_SYSLOG"'/g
s/^(LF_SPI *= *\")[^\"]*/\1'"$LF_SPI"'/g
s/^(TCP_IN *= *\")[^\"]*/\1'"$TCP_IN"'/g
s/^(TCP_OUT *= *\")[^\"]*/\1'"$TCP_OUT"'/g
s/^(UDP_IN *= *\")[^\"]*/\1'"$UDP_IN"'/g
s/^(UDP_OUT *= *\")[^\"]*/\1'"$UDP_OUT"'/g
s/^(ICMP_IN *= *\")[^\"]*/\1'"$ICMP_IN"'/g
s/^(ICMP_OUT *= *\")[^\"]*/\1'"$ICMP_OUT"'/g
s/^(IPV6 *= *\")[^\"]*/\1'"$IPV6"'/g
s/^(TCP6_IN *= *\")[^\"]*/\1'"$TCP6_IN"'/g
s/^(TCP6_OUT *= *\")[^\"]*/\1'"$TCP6_OUT"'/g
s/^(UDP6_IN *= *\")[^\"]*/\1'"$UDP6_IN"'/g
s/^(UDP6_OUT *= *\")[^\"]*/\1'"$UDP6_OUT"'/g
s/^(IGNORE_ALLOW *= *\")[^\"]*/\1'"$IGNORE_ALLOW"'/g
s/^(DENY_IP_LIMIT *= *\")[^\"]*/\1'"$DENY_IP_LIMIT"'/g
s/^(DENY_TEMP_IP_LIMIT *= *\")[^\"]*/\1'"$DENY_TEMP_IP_LIMIT"'/g
s/^(LF_DAEMON *= *\")[^\"]*/\1'"$LF_DAEMON"'/g
s/^(LF_CSF *= *\")[^\"]*/\1'"$LF_CSF"'/g
s/^(FASTSTART *= *\")[^\"]*/\1'"$FASTSTART"'/g
s/^(LF_IPSET *= *\")[^\"]*/\1'"$LF_IPSET"'/g
s/^(VERBOSE *= *\")[^\"]*/\1'"$VERBOSE"'/g
s/^(SMTP_BLOCK *= *\")[^\"]*/\1'"$SMTP_BLOCK"'/g
s/^(SMTP_ALLOWLOCAL *= *\")[^\"]*/\1'"$SMTP_ALLOWLOCAL"'/g
s/^(SMTP_PORTS *= *\")[^\"]*/\1'"$SMTP_PORTS"'/g
s/^(SYSLOG *= *\")[^\"]*/\1'"$SYSLOG"'/g
s/^(DROP *= *\")[^\"]*/\1'"$DROP"'/g
s/^(DROP_LOGGING *= *\")[^\"]*/\1'"$DROP_LOGGING"'/g
s/^(DROP_OUT_LOGGING *= *\")[^\"]*/\1'"$DROP_OUT_LOGGING"'/g
s/^(DROP_NOLOG *= *\")[^\"]*/\1'"$DROP_NOLOG"'/g
s/^(LF_PERMBLOCK *= *\")[^\"]*/\1'"$LF_PERMBLOCK"'/g
s/^(LF_PERMBLOCK_INTERVAL *= *\")[^\"]*/\1'"$LF_PERMBLOCK_INTERVAL"'/g
s/^(LF_PERMBLOCK_COUNT *= *\")[^\"]*/\1'"$LF_PERMBLOCK_COUNT"'/g
s/^(DYNDNS *= *\")[^\"]*/\1'"$DYNDNS"'/g
s/^(DYNDNS_IGNORE *= *\")[^\"]*/\1'"$DYNDNS_IGNORE"'/g
s/^(URLGET *= *\")[^\"]*/\1'"$URLGET"'/g
s/^(CC_DENY *= *\")[^\"]*/\1'"$CC_DENY"'/g
s/^(CC_ALLOW *= *\")[^\"]*/\1'"$CC_ALLOW"'/g
s/^(CC_LOOKUPS *= *\")[^\"]*/\1'"$CC_LOOKUPS"'/g
s/^(CC6_LOOKUPS *= *\")[^\"]*/\1'"$CC6_LOOKUPS"'/g
s/^(LF_SSHD *= *\")[^\"]*/\1'"$LF_SSHD"'/g
s/^(LF_SSHD_PERM *= *\")[^\"]*/\1'"$LF_SSHD_PERM"'/g
s/^(LF_FTPD *= *\")[^\"]*/\1'"$LF_FTPD"'/g
s/^(LF_FTPD_PERM *= *\")[^\"]*/\1'"$LF_FTPD_PERM"'/g
s/^(LF_SMTPAUTH *= *\")[^\"]*/\1'"$LF_SMTPAUTH"'/g
s/^(LF_SMTPAUTH_PERM *= *\")[^\"]*/\1'"$LF_SMTPAUTH_PERM"'/g
s/^(LF_EXIMSYNTAX *= *\")[^\"]*/\1'"$LF_EXIMSYNTAX"'/g
s/^(LF_EXIMSYNTAX_PERM *= *\")[^\"]*/\1'"$LF_EXIMSYNTAX_PERM"'/g
s/^(LF_POP3D *= *\")[^\"]*/\1'"$LF_POP3D"'/g
s/^(LF_POP3D_PERM *= *\")[^\"]*/\1'"$LF_POP3D_PERM"'/g
s/^(LF_IMAPD *= *\")[^\"]*/\1'"$LF_IMAPD"'/g
s/^(LF_IMAPD_PERM *= *\")[^\"]*/\1'"$LF_IMAPD_PERM"'/g
s/^(LF_HTACCESS *= *\")[^\"]*/\1'"$LF_HTACCESS"'/g
s/^(LF_HTACCESS_PERM *= *\")[^\"]*/\1'"$LF_HTACCESS_PERM"'/g
s/^(LF_CPANEL *= *\")[^\"]*/\1'"$LF_CPANEL"'/g
s/^(LF_CPANEL_PERM *= *\")[^\"]*/\1'"$LF_CPANEL_PERM"'/g
s/^(UI *= *\")[^\"]*/\1'"$UI"'/g
s/^(UI_USER *= *\")[^\"]*/\1'"$UI_USER"'/g
s/^(UI_PASS *= *\")[^\"]*/\1'"$UI_PASS"'/g
s/^(UI_CIPHER *= *\")[^\"]*/\1'"$UI_CIPHER"'/g
s/^(UI_SSL_VERSION *= *\")[^\"]*/\1'"$UI_SSL_VERSION"'/g
s/^(MESSENGER *= *\")[^\"]*/\1'"$MESSENGER"'/g
s/^(DEBUG *= *\")[^\"]*/\1'"$DEBUG"'/g
' $CSF
fi
break;;
[Nn]* ) exit;;
* ) echo "Please answer yes or no.";;
esac
done
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment