Mar 01

Using CSF/LFD and IPTABLES to block specific traffic

You can easily block unwanted traffic using IPTABLES.  However, if your using csf/lfd from configserver you can easily block specific traffic.

If you are using cPanel or other web hosting platform, you are likely familiar with the wonderful tools from ConfigServer.  These tools will save your life and are all but required on every server.  Their free tool, csf/lfd, replaces what I once used in apf/bfd.  CSF is a drop in software firewall that will allow you custom build IPTABLES rules for your server.  There is a web based interface that shows up in WHM natively after installing.  I will be covering one option that I use regularly to block nefarious request to servers from the command line.

CSF allows the end user to create a file for post processing.  The normal location for this file is /etc/csf/csfpost.sh  The name must be csfpost.sh and the file must start with #!/bin/sh . The file will then be executed after every csf/lfd restart or upgrade.

In this file I use the following IPTABLES rule to block specific strings over http, note this does NOT work with https.

As an example, I block xmlrpc.php on my own personal servers and this is what is in the contents of csfpost.sh

/sbin/iptables -I INPUT -p tcp –dport 80 -m string –to 1000 –string “xmlrpc.php” –algo kmp -j DROP

You can insert just about anything you want to search for in the –string variable.  Keep in mind that these rules will add some cpu load.  I have used several rules like this to block bots, and other user agents that come in to http.

You can check how well your rules are working with the following command.

iptables -nvL INPUT

You will see output similar to this.

pkts bytes target     prot opt in     out     source               destination

919  823K DROP       tcp    *      *             tcp dpt:80 STRING match “xmlrpc.php” ALGO name kmp TO 1000

You can remove a rule command line by replacing -I with -D, for example this will delete this rule.

/sbin/iptables -D INPUT -p tcp –dport 80 -m string –to 1000 –string “xmlrpc.php” –algo kmp -j DROP

This prevents you from having to stop/start/restart csf/lfd.

Hope this helps someone out.