Integrated User Interface Feature
Integrated User Interface. This feature provides a HTML UI to the features of csf and lfd, without requiring a control panel or web server. The UI runs as a sub process to the lfd daemon.
As it runs under the root account and successful login provides root access to the server, great care should be taken when configuring and using this feature. There are additional restrictions to enhance secure access to the UI:
- An SSL connection is required
- Separate ban and allow files are provided to only allow access to listed IP addresses
- Local IP addresses cannot connect to the UI (i.e. all IP addresses configured on the server NICs)
- Unique sessions, session timeouts, session cookies and browser headers are used to identify and restrict active sessions
Requirements:
openssl- Perl modules:
Net::SSLeay,IO::Socket::SSLand dependent modules - SSL keys
- Entries in
/etc/csf/ui/ui.allow
The SSL server uses the following files:
- SSL Key goes into
/etc/csf/ui/server.key - SSL Certificate goes into
/etc/csf/ui/server.crt
Preferably, real CA signed certificates should be used. You can use an existing domain and cert for accessing the UI by populating the two files mentioned. If the cert has a ca bundle, it should be appended to the server.crt file. lfd must be restarted after making any changes: http://httpd.apache.org/docs/current/ssl/ssl_faq.html#realcert
Alternatively, you could generate your own self-signed certificate: http://httpd.apache.org/docs/current/ssl/ssl_faq.html#selfcert
Any keys used must have their pass-phrase removed: http://httpd.apache.org/docs/current/ssl/ssl_faq.html#removepassphrase
The login URL should use the domain you have listed in the self-signed cert: https://<yourdomain>:<port>
For example: https://www.somedomain.com:6666
Your browser must accept session cookies to gain access.
UI_ALLOW is enabled by default, so IP addresses (or CIDRs) allowed to use this UI must be listed in /etc/csf/ui/ui.allow before trying to connect to the UI.
Only IP addresses can be listed/used in /etc/csf/ui/ui.ban - this file should only be used by the UI to prevent login. Use csf blocks to prevent access to the configured port and only use Advanced Allow/Deny Filters for access, i.e. do not list the port in TCP_IN.
Logging for UI events are logged to the lfd /var/log/lfd.log file. Check this file if you are unable to access the UI.
Required Perl Modules:
-
On Debian v6 the perl modules can be installed using:
bashapt-get install libio-socket-ssl-perl libcrypt-ssleay-perl \ libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl -
On CentOS v6 the perl modules can be installed using:
bashyum install perl-IO-Socket-SSL.noarch perl-Net-SSLeay perl-Net-LibIDN \ perl-IO-Socket-INET6 perl-Socket6
Control Panels
Sentinel Firewall can be configured to run on the most popular Control Panels.
The codebase is the same for all installations, the csf.conf file simply has that panel specific options added and the GENERIC option removed.
cPanel
cPanel/WHM integration is available in a form of a WHM plugin.
/etc/csf/cpanel.allowwhitelists the cPanel update servers/etc/csf/cpanel.comodo.allowwhiteists Sectigo SSL provider (formerly Comodo) *this is deprecated and will be removed/etc/csf/cpanel.ignoremakes lfd ignore cPanel update servers/etc/csf/cpanel.comodo.ignoremakes lfd ignore Sectigo SSL provider (formerly Comodo)/etc/csf/cpanelalert.txtis the default email template for WHM logins
InterWorx
InterWorx integration is available for csf. The installation makes changes to the underlying InterWorx installation due to its current dependence on APF. To cater for this, installing csf will replace /etc/apf/apf with a stub script that redirects commands to csf. The script is then chattr +ia to prevent it being overwritten.
Note: None of the apf conf files are used and are ignored by csf.
The Firewall UI option in NodeWorx should now not be used and any changes made there will not be reflected in iptables.
There is a UI option under "ConfigServer Services" for "ConfigServer Firewall & Security" that should now be used.
The installation will also replace the Firewall page in NodeWorx with a dummy page stating that csf should be used instead. lfd will replace the page upon restart incase of upgrades to InterWorx. If you want to disable this behaviour, create an empty file as follows:
touch /etc/cxs/interworx.firewallThe InterWorx plugin for csf is auto-enabled. Enabling or Disabling the InterWorx plugin has no effect on csf itself, only the UI plugin presence.
NOTE: Unless you have configured a root forwarder, you should edit the csf configuration settings in /etc/csf/csf.conf or via the UI and set LF_ALERT_TO to a suitable email address. After making any changes, restart csf and then lfd.
OpenPanel
OpenPanel/OpenAdmin integration is available in a form of a OpenAdmin plugin.
The codebase is the same for all installations, the csf.conf file simply has the GENERIC option added.
CentOS Web Panel (CWP)
CWP integration is available for csf. Since CWP already has some custom modifications, these have been taken into account. To access the now inbuilt UI in CWP, there is a new menu option in CWP > ConfigServer Scripts > ConfigServer Firewall.
There is now an option in /etc/csf/csf.conf for LF_CWP for login failure detection. However, this WILL NOT work with the default CWP installation as there is a custom entry in /etc/csf/regex.custom.pm. The now official detection will be ignored while this is in place.
If you want to use the now inbuilt detection you must edit /etc/csf/regex.custom.pm and remove the 3 lines that comprise the custom entry and then restart lfd.
UI Skinning
The csf UI provided through cPanel, OpenPanel, DirectAdmin, Webmin and the integrated UI via lfd, all user the Bootstrap and jQuery frameworks. Additional styling is added to complement the frameworks and the UI flow.
If you want to make changes to the styling or add jQuery or JavaScript code you can create:
- A text file
/etc/csf/csf.headerwhich will be included in each of the UI pages before the closing</head>tag - A text file
/etc/csf/csf.bodywhich will be included in each of the UI pages after the opening<body>tag[*] - A text file
/etc/csf/csf.footerwhich will be included in each of the UIpages before the closing</body>tag
The html tag will also have a data-post field containing the internal action being performed by the UI.
You can also make additions to the <html> and <body> tags by creating /etc/csf/csf.htmltag and /etc/csf/csf.bodytag respectively[*]. Additions made in these files MUST all be on a single line at the top of the file, anything else will be ignored. The text will then be placed within the respective tag, e.g. if you want <body data-name='result'> you would put the following on a single line in /etc/csf/csf.bodytag:
data-name='result'
[*] This functionality is ONLY available on webmin servers
Mobile View
The Mobile View feature has a breakpoint of 600px which will initiate the full browser subset of UI features. This may mean breaking out of framesets in some control panels, so a return to the main control panel window is included. Also switching back to the Desktop view will remain in the full browser display.
If you switch to the Mobile View and then switch to main control panel window further accesses to the UI will always default to the Mobile View. If you switch back after returning to the Desktop View, subsequent access will default to that view. This reverts back to the default breakpoint behaviour in new browser sessions as the system uses session cookies to keep track of the chosen view which are reset one browser shutdown.
There are options in csf.conf that control the behaviour of these options under STYLE_*. Any styling changes MUST respect these options.
Note: We do NOT recommend reformatting the UI output as any changes in the core code may not be reflected in the user experience and can break the product. Only style changes should be made.