Skip to main content

Integrated User Interface Feature

Integrated User Interface. This feature provides a HTML UI to the features of csf and lfd, without requiring a control panel or web server. The UI runs as a sub process to the lfd daemon.

As it runs under the root account and successful login provides root access to the server, great care should be taken when configuring and using this feature. There are additional restrictions to enhance secure access to the UI:

  1. An SSL connection is required
  2. Separate ban and allow files are provided to only allow access to listed IP addresses
  3. Local IP addresses cannot connect to the UI (i.e. all IP addresses configured on the server NICs)
  4. Unique sessions, session timeouts, session cookies and browser headers are used to identify and restrict active sessions

Requirements:

  1. openssl
  2. Perl modules: Net::SSLeay, IO::Socket::SSL and dependent modules
  3. SSL keys
  4. Entries in /etc/csf/ui/ui.allow

The SSL server uses the following files:

  • SSL Key goes into /etc/csf/ui/server.key
  • SSL Certificate goes into /etc/csf/ui/server.crt

Preferably, real CA signed certificates should be used. You can use an existing domain and cert for accessing the UI by populating the two files mentioned. If the cert has a ca bundle, it should be appended to the server.crt file. lfd must be restarted after making any changes: http://httpd.apache.org/docs/current/ssl/ssl_faq.html#realcert

Alternatively, you could generate your own self-signed certificate: http://httpd.apache.org/docs/current/ssl/ssl_faq.html#selfcert

Any keys used must have their pass-phrase removed: http://httpd.apache.org/docs/current/ssl/ssl_faq.html#removepassphrase

The login URL should use the domain you have listed in the self-signed cert: https://<yourdomain>:<port>

For example: https://www.somedomain.com:6666

Your browser must accept session cookies to gain access.

UI_ALLOW is enabled by default, so IP addresses (or CIDRs) allowed to use this UI must be listed in /etc/csf/ui/ui.allow before trying to connect to the UI.

Only IP addresses can be listed/used in /etc/csf/ui/ui.ban - this file should only be used by the UI to prevent login. Use csf blocks to prevent access to the configured port and only use Advanced Allow/Deny Filters for access, i.e. do not list the port in TCP_IN.

Logging for UI events are logged to the lfd /var/log/lfd.log file. Check this file if you are unable to access the UI.

Required Perl Modules:

  • On Debian v6 the perl modules can be installed using:

    bash
    apt-get install libio-socket-ssl-perl libcrypt-ssleay-perl \
                libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl

  • On CentOS v6 the perl modules can be installed using:

    bash
    yum install perl-IO-Socket-SSL.noarch perl-Net-SSLeay perl-Net-LibIDN \
            perl-IO-Socket-INET6 perl-Socket6

Control Panels​

InterWorx​

InterWorx integration is available for csf. The installation makes changes to the underlying InterWorx installation due to its current dependence on APF. To cater for this, installing csf will replace /etc/apf/apf with a stub script that redirects commands to csf. The script is then chattr +ia to prevent it being overwritten.

Note: None of the apf conf files are used and are ignored by csf.

The Firewall UI option in NodeWorx should now not be used and any changes made there will not be reflected in iptables.

There is a UI option under "ConfigServer Services" for "ConfigServer Firewall & Security" that should now be used.

The installation will also replace the Firewall page in NodeWorx with a dummy page stating that csf should be used instead. lfd will replace the page upon restart incase of upgrades to InterWorx. If you want to disable this behaviour, create an empty file as follows:

bash
touch /etc/cxs/interworx.firewall

The InterWorx plugin for csf is auto-enabled. Enabling or Disabling the InterWorx plugin has no effect on csf itself, only the UI plugin presence.

NOTE: Unless you have configured a root forwarder, you should edit the csf configuration settings in /etc/csf/csf.conf or via the UI and set LF_ALERT_TO to a suitable email address. After making any changes, restart csf and then lfd.

OpenPanel​

OpenPanel integration is available for csf. Module is developed and maintained by OpenPanel themselves.

CentOS Web Panel (CWP)​

CWP integration is available for csf. Since CWP already has some custom modifications, these have been taken into account. To access the now inbuilt UI in CWP, there is a new menu option in CWP > ConfigServer Scripts > ConfigServer Firewall.

There is now an option in /etc/csf/csf.conf for LF_CWP for login failure detection. However, this WILL NOT work with the default CWP installation as there is a custom entry in /etc/csf/regex.custom.pm. The now official detection will be ignored while this is in place.

If you want to use the now inbuilt detection you must edit /etc/csf/regex.custom.pm and remove the 3 lines that comprise the custom entry and then restart lfd.

UI Skinning​

The csf UI provided through cPanel, OpenPanel, DirectAdmin, Webmin and the integrated UI via lfd, all user the Bootstrap and jQuery frameworks. Additional styling is added to complement the frameworks and the UI flow.

If you want to make changes to the styling or add jQuery or JavaScript code you can create:

  1. A text file /etc/csf/csf.header which will be included in each of the UI pages before the closing </head> tag
  2. A text file /etc/csf/csf.body which will be included in each of the UI pages after the opening <body> tag[*]
  3. A text file /etc/csf/csf.footer which will be included in each of the UIpages before the closing </body> tag

The html tag will also have a data-post field containing the internal action being performed by the UI.

You can also make additions to the <html> and <body> tags by creating /etc/csf/csf.htmltag and /etc/csf/csf.bodytag respectively[*]. Additions made in these files MUST all be on a single line at the top of the file, anything else will be ignored. The text will then be placed within the respective tag, e.g. if you want <body data-name='result'> you would put the following on a single line in /etc/csf/csf.bodytag: data-name='result'

[*] This functionality is ONLY available on webmin servers

Mobile View​

The Mobile View feature has a breakpoint of 600px which will initiate the full browser subset of UI features. This may mean breaking out of framesets in some control panels, so a return to the main control panel window is included. Also switching back to the Desktop view will remain in the full browser display.

If you switch to the Mobile View and then switch to main control panel window further accesses to the UI will always default to the Mobile View. If you switch back after returning to the Desktop View, subsequent access will default to that view. This reverts back to the default breakpoint behaviour in new browser sessions as the system uses session cookies to keep track of the chosen view which are reset one browser shutdown.

There are options in csf.conf that control the behaviour of these options under STYLE_*. Any styling changes MUST respect these options.

Note: We do NOT recommend reformatting the UI output as any changes in the core code may not be reflected in the user experience and can break the product. Only style changes should be made.