Hi guys, many of you are already using CSF instead of stock iptables/fail2ban Hestia bundle.
Lupu did pretty decent job with firewall ipset integration in Hestia v1.2.0.
If you would like to achieve the very same functionality plus a lot more, then follow the below step-by-step tutorial, so that you don’t have to reinvent the wheel and/or say goodbye to CSF, but rather use its full potential.
I think that the sources of bad IPs can be improved, e.g. the ProjectHoneypot RSS offers only 25 IPs (even after registering), Tor traffic isn’t by default malicious, one could add SpamHaus EDROP in addition to DROP etc.
A quick and easy way would be to use the 3 levels (level 1-3) provided by FireHOL, which in my case (even after blocking several whole countries) still only blocks 50-75% of the malicious traffic.
PS: Regarding your poll, I’m using neither CSF nor HestiaCP’s built-in firewall. Instead I’m using custom iptables + ipsets (geoip and various blacklists) + hashlimit module. But I will re-evaluate CSF in the near future to see if it might suit me.
@martineliascz
Yeah? I run it through a script on one of my servers to get a simple text list of IPs, then add that to the bottom of csf.blocklists, for my other VPS/servers. The problem being that it also blocks the source of the list (being as it’s AWS)! So I temporarily exclude AWS, retrieve the list, then block it.
Note: some silly network uptime monitors use AWS for their agents. :-\
@AlwaysSkint - Yeah. It seems to me like you are reinventing the wheel here (via scripting). No need to do it with CSF, as it’s in my opinion best firewall ever (for VPS at least) and already offers all of those handy features.
Just append the following line & you are all set, no need to do any scripting:
@martineliascz
Never thought to try it, as it never crossed my mind CSF would parse the json.
Will give it a bash, thanks!
P.S. I’ve used CSF for over 15 years on WHM/cPanel, so there’s no need to convince me, at least. Likewise mod_sec.
csf: IPSET creating set bl_AWS
DROP all opt – in * out * 0.0.0.0/0 → 0.0.0.0/0 match-set bl_AWS src
csf: IPSET creating set bl_6_AWS
DROP all opt in * out * ::/0 → ::/0 match-set bl_6_AWS src
AWS all opt – in !lo out * 0.0.0.0/0 → 0.0.0.0/0
AWS all opt in !lo out * ::/0 → ::/0
After a few CSF restarts, I’m not convinced it is parsing it. Here’s using my method:
csf: IPSET creating set bl_AWSIP
DROP all opt – in * out * 0.0.0.0/0 → 0.0.0.0/0 match-set bl_AWSIP src
csf: IPSET creating set bl_6_AWSIP
DROP all opt in * out * ::/0 → ::/0 match-set bl_6_AWSIP src
csf: IPSET loading set bl_AWSIP with 1863 entries
csf: IPSET loading set bl_6_AWSIP with 0 entries
AWSIP all opt – in !lo out * 0.0.0.0/0 → 0.0.0.0/0
AWSIP all opt in !lo out * ::/0 → ::/0
Admittedly IPv6 doesn’t appear to be added but I don’t tend to use v6 (yet), so hasn’t bothered me.
@AlwaysSkint - Furthermore you can check: /var/lib/csf/csf.block.AWS
Also issue: “ipset list” in terminal - this is what you should get (if IPv6 is disabled in CSF):
Name: bl_AWS
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 59736
References: 1
Number of entries: 2009
Members:
ip_addresses