0

I'm looking at using ConfigServer Security and Firewall (CSF; iptables-based). After I configure it properly, how much daily ongoing management is required of me to keep my server secure? Am I going to be flooded with "alert" emails that I need to check? Or does the firewall automatically take care of most security threats for me?

Note: I understand that there's more to server security than just a software firewall, but this question is specifically for CSF security management.

Hope4You
  • 165
  • 3
  • 12

2 Answers2

3

CSF/LFD installs easily and works with pretty much zero configuration. But the default configuration will send you a LOT of lfd emails about processes - and whilst it is possible to turn emails off entirely that's a bad idea for obvious reasons.

What you will need to do is spend the first few days of running CSF monitoring those emails and deciding if any of them represents an actual genuine threat. Unless you think your machine is already compromised or under attack then hopefully the answer will be no. If the message does not relate to a threat, you can add the process involved to the pignore file, and you won't get emails relating to it again. Once all of those are done, and there will probably be a dozen or so -then you won't get emails from CSF any more unless there actually is a problem. It doesn't take much time but it's worth doing.

edit: clarify emails are from lfd not csf.

Pinkeye
  • 51
  • 6
1

I run csf on my server. It does send quite a lot of emails, normally moaning about excessive usage on users such as devecot when it exceeds it executed time. However with every firewall and monitoring system it out lines where your server is failing and needs improving.

CSF however goes a overboard with the "excessive resource" and nowadays I ignore it since I have zabbix and other monitoring systems in place.

Sc0rian
  • 1,011
  • 7
  • 16
  • How often do you receive "security threat" emails, where you need to take action manually to stop the threat? I'm hoping I don't have to manually respond to too many security threats, but rather that the firewall would automatically take care of it for me. – Hope4You Jun 04 '12 at 17:28
  • I get them all the time! Most of them are due to exceeded time to execute the process. You can tell CSF to ignore this in pignore. `/etc/csf/csf.pignore`. CSF does do a good job at keeping your server safe though, and takes little manual config. It will monitor port scans, auto block ips with too many failed logins on ftp, pop3 etc. It will also email you what it has temporary blocked and ssh logins. – Sc0rian Jun 04 '12 at 17:59
  • Does CSF actually _block_ real users from accessing your site because of "exceeded time to execute the process"? Also, I'm not sure if you understood the question: "How often do you receive security threat emails, **where you need to take action manually** to stop the threat?" – Hope4You Jun 04 '12 at 18:17
  • 1
    the "exceeded" emails are not related to blocks. Just process information from /proc entry for the PID and if there's nothing there then either the OS isn't reporting it or the PID has died in the meantime. See: http://forum.configserver.com/viewtopic.php?f=6&t=2059. Manual action needs to be taken when you read something is suspicious, such as a process name, port scanning etc. Hope this helps. – Sc0rian Jun 04 '12 at 19:50