CSF
CSF (ConfigServer Security & Firewall) is a free, advanced firewall tool designed for most Linux-based VPS/Cloud environments. In addition to basic packet filtering, CSF offers enhanced security features, including login intrusion and flood detection.
Login Security: If there are 10 unsuccessful login attempts, the IP address attempting the logins will be blocked by CSF. This blocking is determined based on the IP address and its subnet mask, preventing incoming traffic from that source.
Traffic Control: CSF allows you to specify which ports can be used for outgoing traffic. For example, you can permit only essential ports like 80, 443, and 587, enhancing your server's security.
Command Features: With CSF commands, you can manage IP addresses on the server firewall. This includes allowing, denying, blocking, and unblocking specific IPs, providing granular control over your server's security.
Overall, CSF provides robust security measures to protect your Linux-based VPS/Cloud environment from various threats.
Refer to the Cheatcode.txt for detailed information on CSF command manipulations. The csf.conf file includes the startup blocking mechanism, which provides best practices for managing in-house cloud servers.
The installation file guides you through the process of installing CSF on your cloud server, significantly enhancing security. While cloud platforms like AWS, Azure, or GCP provide basic port blocking by default, installing CSF offers a broader range of blocking capabilities for your application.
If you want your application to be accessible only from specific regions, you can configure this by allowing only those regions in the country list, providing enhanced control over your application's access.
The country code is a standard option used in the configuration file. All port and country blocks can be managed via the csf.conf file. In this file, you can specify:
- Allow incoming TCP ports
- Allow incoming IPv6 TCP ports
- Allow outgoing TCP ports
- Allow outgoing IPv6 TCP ports
For example, to block a specific country, you can set:
CC_DENY = "<country code>"
To allow port-based access to specific countries, you can configure:
CC_ALLOW_PORTS = "<country code>"
CC_ALLOW_PORTS_TCP = "21,3000, or other required ports"
This ensures that only the specified ports are accessible from the designated countries, enhancing your application's security.
I've utilized MaxMind's license, which eliminates the need for us to monitor IP addresses and their locations. MaxMind's API handles this for us. You can add the license directly to the csf.conf file at the specified location:
# MaxMind License Key:
MM_LICENSE_KEY = "Place the license key here"
MaxMind maintains the IP addresses and their locations in their database. By checking the API, our CSF will bind to their database. Alternatively, you can obtain IP addresses by region using this URL: https://lite.ip2location.com/ip-address-ranges-by-country.