How to allow domains by reverse DNS lookup in CSF on Oracle Linux 9.2

To Allow Domains By Reverse DNS Lookup In CSF On Oracle Linux 9.2

Introduction:

ConfigServer Security & Firewall (CSF) is a powerful firewall management tool for Linux servers. It has the ability to allow or deny access to your server based on various criteria, including reverse DNS lookup. Reverse DNS lookup is a method to verify the legitimacy of incoming connections by checking the domain associated with an IP address.

Procedure:

Step 1: Check the OS version by using the below command

[root@Linuxhelp ~]# cat /etc/os-release
NAME="Oracle Linux Server"
VERSION="9.2"
ID="ol"
ID_LIKE="fedora"
VARIANT="Server"
VARIANT_ID="server"
VERSION_ID="9.2"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Oracle Linux Server 9.2"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:oracle:linux:9:2:server"
HOME_URL="https://linux.oracle.com/"
BUG_REPORT_URL="https://github.com/oracle/oracle-linux"
ORACLE_BUGZILLA_PRODUCT="Oracle Linux 9"
ORACLE_BUGZILLA_PRODUCT_VERSION=9.2
ORACLE_SUPPORT_PRODUCT="Oracle Linux"
ORACLE_SUPPORT_PRODUCT_VERSION=9.2

Step 2: Check the status of the csf and lfd services by using the below command

[root@Linuxhelp ~]# systemctl status csf lfd
● csf.service - ConfigServer Firewall & Security - csf
     Loaded: loaded (/usr/lib/systemd/system/csf.service; enabled; preset: disabled)
     Active: active (exited) since Thu 2023-11-02 10:20:08 IST; 5 days ago
   Main PID: 10199 (code=exited, status=0/SUCCESS)
        CPU: 1.901s

Nov 02 10:20:08 Linuxhelp csf[10199]: ACCEPT  all opt    in * out lo  ::/0  -> ::/0
Nov 02 10:20:08 Linuxhelp csf[10199]: LOGDROPOUT  all opt    in * out !lo  ::/0  -> ::/0
Nov 02 10:20:08 Linuxhelp csf[10199]: LOGDROPIN  all opt    in !lo out *  ::/0  -> ::/0
Nov 02 10:20:08 Linuxhelp csf[10199]: csf: FASTSTART loading DNS (IPv4)
Nov 02 10:20:08 Linuxhelp csf[10199]: csf: FASTSTART loading DNS (IPv6)
Nov 02 10:20:08 Linuxhelp csf[10199]: LOCALOUTPUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0
Nov 02 10:20:08 Linuxhelp csf[10199]: LOCALINPUT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
Nov 02 10:20:08 Linuxhelp csf[10199]: LOCALOUTPUT  all opt    in * out !lo  ::/0  -> ::/0
Nov 02 10:20:08 Linuxhelp csf[10199]: LOCALINPUT  all opt    in !lo out *  ::/0  -> ::/0
Nov 02 10:20:08 Linuxhelp systemd[1]: Finished ConfigServer Firewall & Security - csf.
● lfd.service - ConfigServer Firewall & Security - lfd
     Loaded: loaded (/usr/lib/systemd/system/lfd.service; enabled; preset: disabled)
     Active: active (running) since Thu 2023-11-02 10:20:09 IST; 5 days ago
   Main PID: 10371 (lfd - sleeping)
      Tasks: 1 (limit: 22877)
     Memory: 262.7M
        CPU: 1min 19.538s
     CGroup: /system.slice/lfd.service
             └─10371 "lfd - sleeping"

Nov 02 10:20:08 Linuxhelp systemd[1]: Starting ConfigServer Firewall & Security - lfd...
Nov 02 10:20:09 Linuxhelp systemd[1]: Started ConfigServer Firewall & Security - lfd.

Step 3: Allow the domains by using reverse DNS lookup for that we need to open csf.dynamin file by using the below command

[root@Linuxhelp ~]# vim /etc/csf/csf.dyndns
Here  add the domain that we want to whitelist, one per line
google.com

Step 4: Edit the CSF configuration file to set the DYNDNS value by using the below command

[root@Linuxhelp ~]# vim /etc/csf/csf.conf
Here set the value as per the need
DYNDNS = "600"
Save the file and exit.

Step 5: To apply changes restart the CSF by using the below command.

[root@Linuxhelp ~]# csf -r
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `LOCALINPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
csf: FASTSTART loading DROP no logging (IPv4)
csf: FASTSTART loading DROP no logging (IPv6)
LOG  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *TCP_IN Blocked* "
LOG  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *TCP_OUT Blocked* "
"Firewall: *ICMP6OUT Blocked* "
DROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  
INVALID  tcp opt    in * out !lo  ::/0  -> ::/0  
ACCEPT  ipv6-icmp opt    in !lo out *  ::/0  -> ::/0  
ACCEPT  ipv6-icmp opt    in * out !lo  ::/0  -> ::/0  
ACCEPT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0   ctstate RELATED,ESTABLISHED
ACCEPT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0   ctstate RELATED,ESTABLISHED
ACCEPT  all opt    in !lo out *  ::/0  -> ::/0   ctstate RELATED,ESTABLISHED
ACCEPT  all opt    in * out !lo  ::/0  -> ::/0   ctstate RELATED,ESTABLISHED
csf: FASTSTART loading TCP_IN (IPv4)
csf: FASTSTART loading TCP6_IN (IPv6)
csf: FASTSTART loading TCP_OUT (IPv4)
csf: FASTSTART loading DNS (IPv4)
csf: FASTSTART loading DNS (IPv6)
LOCALOUTPUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  
LOCALINPUT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  
LOCALOUTPUT  all opt    in * out !lo  ::/0  -> ::/0  
LOCALINPUT  all opt    in !lo out *  ::/0  -> ::/0  
*WARNING* Binary location for [SENDMAIL] [/usr/sbin/sendmail] in /etc/csf/csf.conf is either incorrect, is not installed or is not executable
*WARNING* Missing or incorrect binary locations will break csf and lfd functionality

*WARNING* RESTRICT_SYSLOG is disabled. See SECURITY WARNING in /etc/csf/csf.conf.

Step 6: Restart the CSF and IFD services by using the below command.

[root@Linuxhelp ~]# systemctl restart csf lfd

Now, CSF will check for IP changes for the domains listed in the /etc/csf.dyndns file every 600 seconds. If the IP address has changed, iptables will be updated to allow traffic from the new IP address.

Step 7: Use CSF advanced allow/deny filters to allow connections on port from the domain for that open csf.dyndns file by using the below command.

[root@Linuxhelp ~]# vim /etc/csf/csf.dyndns 
tcp|in|d=3306|s=google.com
Save the file and exit.
This filter will only allow connections on port 3306 from the IP address that resolves to google.com. If the IP address of google.com changes, the filter will be updated to allow traffic from the new IP address.

Step 8: Restart the CSF by using the below command.

[root@Linuxhelp ~]# csf -r
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWDYNIN'
Flushing chain `ALLOWDYNOUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
Flushing chain `LOCALINPUT'
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
csf: FASTSTART loading DROP no logging (IPv4)
csf: FASTSTART loading DROP no logging (IPv6)
LOG  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *TCP_IN Blocked* "
LOG  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *TCP_OUT Blocked* "
ACCEPT  ipv6-icmp opt    in * out !lo  ::/0  -> ::/0  
ACCEPT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0   ctstate RELATED,ESTABLISHED
ACCEPT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0   ctstate RELATED,ESTABLISHED
ACCEPT  all opt    in !lo out *  ::/0  -> ::/0   ctstate RELATED,ESTABLISHED
ACCEPT  all opt    in * out !lo  ::/0  -> ::/0   ctstate RELATED,ESTABLISHED
csf: FASTSTART loading TCP_IN (IPv4)
csf: FASTSTART loading TCP6_IN (IPv6)
csf: FASTSTART loading TCP_OUT (IPv4)
csf: FASTSTART loading TCP6_OUT (IPv6)
csf: FASTSTART loading UDP_IN (IPv4)
csf: FASTSTART loading UDP6_IN (IPv6)
csf: FASTSTART loading UDP_OUT (IPv4)
csf: FASTSTART loading UDP6_OUT (IPv6)
LOGDROPOUT  all opt    in * out !lo  ::/0  -> ::/0  
LOGDROPIN  all opt    in !lo out *  ::/0  -> ::/0  
csf: FASTSTART loading DNS (IPv4)
csf: FASTSTART loading DNS (IPv6)
LOCALOUTPUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  
LOCALINPUT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  
LOCALOUTPUT  all opt    in * out !lo  ::/0  -> ::/0  
LOCALINPUT  all opt    in !lo out *  ::/0  -> ::/0  
*WARNING* Binary location for [SENDMAIL] [/usr/sbin/sendmail] in /etc/csf/csf.conf is either incorrect, is not installed or is not executable
*WARNING* Missing or incorrect binary locations will break csf and lfd functionality
*WARNING* RESTRICT_SYSLOG is disabled. See SECURITY WARNING in /etc/csf/csf.conf.

Step 9: Restart the CSF and IFD services by using the below command.

[root@Linuxhelp ~]# systemctl restart csf lfd

Conclusion

We have reached the end of this article. In this guide, we have walked you through the steps required to to allow domains by reverse DNS lookup in CSF on Oracle Linux 9.2. Your feedback is much welcome.

Tag : CSF (ConfigServer Security & Firewall) Security Linux
FAQ
Q
Can I use CSF with other firewall solutions or security tools?
A
While CSF can be used as a standalone firewall, it can also complement other security tools and practices. You can integrate it with other security measures to create a robust security strategy for your server.
Q
Can I allow multiple domains through reverse DNS lookup in CSF?
A
Yes, you can allow multiple domains by specifying them in the CSF configuration. This allows you to create a list of trusted domains from which incoming connections will be accepted.
Q
How can I troubleshoot issues with reverse DNS lookup in CSF?
A
If you encounter problems with reverse DNS lookup, you can check your CSF logs for relevant information. Additionally, ensuring that your server's DNS configuration is accurate and up to date can help avoid issues with reverse DNS checks.
Q
Why would I want to allow domains by reverse DNS lookup in CSF?
A
Allowing domains by reverse DNS lookup in CSF can enhance server security by ensuring that incoming connections are only accepted from trusted domains. This is particularly useful when you want to restrict access to specific services or applications to a predefined list of domains.
Q
Is reverse DNS lookup the only method to secure a server with CSF?
A
No, CSF provides multiple security features, including packet filtering, connection tracking, and more. Reverse DNS lookup is just one of the many tools available to enhance server security.