CSF/LFD firewall installation guide for Plesk
Config Server Firewall (csf) and Login Failure Daemon (lfd) is a robust firewall solution having Stateful Packet Inspection (SPI), Login/Intrusion Detection and Security application for Linux servers. Although it is more compatible with CPanel we have been able to use the same for the Plesk hosting control panel also and it is running fine. Please visit the below link for more information. I have listed the installation steps for CSF / LFD.Login to your server with ‘root’ user and issue below commands : Change directory to either /root or /usr/local/src , which ever you normally use for such installations
# cd /usr/local/src
[Remove any old source that might be present] Download and untar the source for installation
# wget # tar -xzf csf.tgz
Run installation script
# cd csf # sh
Once the installation complete, you can run the below scripts provided by vendor to check if your server/vps has required iptables modules available :
# perl /etc/csf/
CSF provides the script to remove the other popular combination I talked about above i.e. apf/bfd, The below script will remove apf/bfd from your server/vps.
# sh /etc/csf/
Common setting for incoming/outgoing TCP/IP and UDP connection.
ETH_DEVICE = “eth1” ETH_DEVICE_SKIP = “eth0” # Allow incoming TCP ports TCP_IN = “20,21,25,53,80,106,110,111,143,443,465,587,865,873,993,995,8443,8880” # Allow outgoing TCP ports TCP_OUT = “20,21,22,25,80,110,443,43,873,8443” # Allow incoming UDP ports UDP_IN = “53,111,123,230,631,859,862,2109,5353” # Allow outgoing UDP ports # To allow outgoing traceroute add 33434:33523 to this list UDP_OUT = “20,21,53,113,123,2109” # Allow incoming PING ICMP_IN = “1” # Set the per IP address incoming ICMP packet rate # To disable rate limiting set to “0” ICMP_IN_RATE = “0” # Allow outgoing PING ICMP_OUT = “1” # Set the per IP address outgoing ICMP packet rate # To disable rate limiting set to “0” ICMP_OUT_RATE = “0” # Enable login failure detection daemon (lfd). LF_DAEMON = “1”
For allowing Qmail in CSF alter below setting(s)
SMTP_BLOCK = “1” SMTP_ALLOWLOCAL = “1” SMTP_PORTS = “25,587” SMTP_ALLOWUSER = “qmaild,qmaill,qmailp,qmailq,qmailr,qmails” SMTP_ALLOWGROUP = “qmail,nofiles,mail,mailman”
Set CSF/LFD reporting FROM/TO ID as below [**** Need to set for Plesk]
Allowing third party block list checking
# Enable IP range blocking using the DShield Block List at LF_DSHIELD = “86400” # Enable IP range blocking using the Spamhaus DROP List at LF_SPAMHAUS = “86400” # Enable IP range blocking using the BOGON List at LF_BOGON = “86400”
Now Add the LFD ignore list for qmail/plesk mail user/process in csf.pignore file.
# vim /etc/csf/csf.pignore #### Custom for Plesk #### user:admin exe:/var/qmail/bin/qmail-smtpd exe:/usr/bin/imapd exe:/var/qmail/bin/qmail-queue exe:/usr/bin/pop3d exe:/var/qmail/bin/qmail-send cmd:qmail-send cmd:/usr/bin/pop3d Maildir cmd:/var/qmail/bin/qmail-queue cmd:/var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true cmd:/usr/bin/imapd Maildir exe:/var/qmail/bin/qmail-rspawn cmd:qmail-rspawn exe:/var/qmail/bin/qmail-clean cmd:qmail-clean exe:/usr/sbin/clamd cmd:clamd exe:/var/qmail/bin/splogger cmd:splogger qmail exe:/var/qmail/bin/qmail-remote.moved user:qmaill user:popuser user:qmaild user:qmails user:qmailr user:qmailq user:qscand exe:/usr/sbin/avahi-daemon user:avahi exe:/usr/local/sbin/zabbix_agentd cmd:/usr/local/sbin/zabbix_agentd user:zabbix exe:/usr/bin/sw-engine-cgi cmd:/usr/bin/sw-engine-cgi user:sso exe:/usr/sbin/sw-cp-serverd cmd:/usr/sbin/sw-cp-serverd -f /etc/sw-cp-server/config user:sw-cp-server exe:/usr/bin/sw-engine-cgi cmd:/usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini -d auto_prepend_file=auth.php3 -u psaadm user:psaadm exe:/usr/libexec/mysqld cmd:/usr/libexec/mysqld –basedir=/usr –datadir=/var/lib/mysql –user=mysql –pid-file=/var/run/mysqld/ –skip-external-locking –socket=/var/lib/mysql/mysql.sock user:mysql exe:/usr/libexec/hald-addon-acpi exe:/usr/sbin/hald cmd:hald user:haldaemon exe:/usr/bin/postgres user:postgres exe:/sbin/portmap cmd:portmap user:rpc exe:/usr/bin/xfs cmd:xfs -droppriv -daemon user:xfs exe:/usr/bin/python cmd:/usr/bin/python /usr/lib/mailman/bin/qrunner –runner=VirginRunner:0:1 -s user:mailman exe:/usr/java/jdk1.6.0_20/bin/java user:tomcat
Note: You may need to add few more process/user as per your requirement. Now start the CSF
# csf -s
Restart LFD
# service lfd restart
Installation is done, now check the website, mail  and other services(s) and disable TESTING mode and restart CSF/LFD
# csf -r # service lfd restart
I will list below some of very common commands you will need to use/manage csf firewall : Enabling the firewall
# csf –enable OR # csf -e
Disabling the firewall
# csf –disable # csf -x
Starting firewall / applying rules
# csf –start # csf -s
Stopping firewall / flushing rules
# csf –stop # csf -f
Adding an IP in firewall
# csf -d “Reason for blocking the IP
Comments (4)

4 responses to “CSF/LFD firewall installation guide for Plesk”

  1. extremely useful advice. thank you.

  2. JC says:

    If you wan the CSF gui, you could install webmin on your Plesk server. I use it on Hsphere, plesk and others.

Leave a Reply

Your email address will not be published. Required fields are marked *

5 + 3 =


Stay Updated

Please enter your details below to get
A Free Trial
x + x* =