/
csfinstall.inc
136 lines (112 loc) · 3.73 KB
/
csfinstall.inc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
csfinstalls() {
#ASK "Install CSF firewall script ? [y/n] "
if [[ "$CSFINSTALLOK" = [yY] ]];
then
# if CentOS 7 is detected disable firewalld in favour
# of iptables ip6tables for now
if [[ "$CENTOS_SEVEN" = '7' ]]; then
if [[ "$FIREWALLD_DISABLE" = [yY] ]]; then
# disable firewalld
systemctl disable firewalld
systemctl stop firewalld
# install iptables-services package
yum -y install iptables-services
# start iptables and ip6tables services
systemctl start iptables
systemctl start ip6tables
systemctl enable iptables
systemctl enable ip6tables
fi
fi
echo "*************************************************"
cecho "* Installing CSF firewall... " $boldgreen
echo "*************************************************"
echo "Installing..."
cd $DIR_TMP
#download csf tarball
yum${CACHESKIP} -y install perl-libwww-perl
#tar xzf csf.tgz
cd csf
sh install.sh
# echo "Test IP Tables Modules..."
# perl /etc/csf/csftest.pl
echo "CSF adding memcached, varnish ports to csf.allow list..."
sed -i 's/20,21,22,25,53,80,110,143,443,465,587,993,995/20,21,22,25,53,80,110,111,143,161,443,465,587,993,995,1110,1186,1194,2202,11211,11212,11213,11214,2049,2112,22000,22001,2222,3000,3334,8080,8888,81,9000,9001,9312,9418,10000,10500,10501,6081,6082,30865,3000:3050/g' /etc/csf/csf.conf
sed -i "s/TCP_OUT = \"/TCP_OUT = \"111,2049,1110,1194,9418,/g" /etc/csf/csf.conf
sed -i "s/UDP_IN = \"/UDP_IN = \"111,2049,1110,/g" /etc/csf/csf.conf
sed -i "s/UDP_OUT = \"/UDP_OUT = \"111,2049,1110,33434:33523,/g" /etc/csf/csf.conf
echo "Disabling CSF Testing mode (activates firewall)..."
sed -i 's/TESTING = "1"/TESTING = "0"/g' /etc/csf/csf.conf
csftweaks
#######################################################
# check to see if csf.pignore already has custom apps added
CSFPIGNORECHECK=`grep -E '(user:nginx|user:nsd|exe:/usr/local/bin/memcached)' /etc/csf/csf.pignore`
if [[ -z $CSFPIGNORECHECK ]]; then
echo "Adding Applications/Users to CSF ignore list..."
cat >>/etc/csf/csf.pignore<<EOF
pexe:/usr/local/lsws/bin/lshttpd.*
pexe:/usr/local/lsws/fcgi-bin/lsphp.*
exe:/usr/local/bin/memcached
cmd:/usr/local/bin/memcached
user:mysql
exe:/usr/sbin/mysqld
cmd:/usr/sbin/mysqld
user:varnish
exe:/usr/sbin/varnishd
cmd:/usr/sbin/varnishd
exe:/sbin/portmap
cmd:portmap
exe:/usr/libexec/gdmgreeter
cmd:/usr/libexec/gdmgreeter
exe:/usr/sbin/avahi-daemon
cmd:avahi-daemon
exe:/sbin/rpc.statd
cmd:rpc.statd
exe:/usr/libexec/hald-addon-acpi
cmd:hald-addon-acpi
user:nsd
user:nginx
user:ntp
user:dbus
user:smmsp
user:postfix
user:dovecot
user:www-data
user:spamfilter
exe:/usr/libexec/dovecot/imap
exe:/usr/libexec/dovecot/pop3
exe:/usr/libexec/dovecot/anvil
exe:/usr/libexec/dovecot/auth
exe:/usr/libexec/dovecot/pop3-login
exe:/usr/libexec/dovecot/imap-login
exe:/usr/libexec/postfix
exe:/usr/libexec/postfix/bounce
exe:/usr/libexec/postfix/discard
exe:/usr/libexec/postfix/error
exe:/usr/libexec/postfix/flush
exe:/usr/libexec/postfix/local
exe:/usr/libexec/postfix/smtp
exe:/usr/libexec/postfix/smtpd
exe:/usr/libexec/postfix/pickup
exe:/usr/libexec/postfix/tlsmgr
exe:/usr/libexec/postfix/qmgr
exe:/usr/libexec/postfix/virtual
exe:/usr/libexec/postfix/proxymap
exe:/usr/libexec/postfix/anvil
exe:/usr/libexec/postfix/lmtp
exe:/usr/libexec/postfix/scache
exe:/usr/libexec/postfix/cleanup
exe:/usr/libexec/postfix/trivial-rewrite
exe:/usr/libexec/postfix/master
EOF
fi # check to see if csf.pignore already has custom apps added
cmchkconfig csf on
cmservice csf restart
csf -r
cmchkconfig lfd on
cmservice lfd start
echo "*************************************************"
cecho "* CSF firewall installed " $boldgreen
echo "*************************************************"
fi
}