How to allow domains by reverse DNS lookup in CSF on Oracle Linux 9.2
To Allow Domains By Reverse DNS Lookup In CSF On Oracle Linux 9.2
Introduction:
ConfigServer Security & Firewall (CSF) is a powerful firewall management tool for Linux servers. It has the ability to allow or deny access to your server based on various criteria, including reverse DNS lookup. Reverse DNS lookup is a method to verify the legitimacy of incoming connections by checking the domain associated with an IP address.
Procedure:
Step 1: Check the OS version by using the below command
[root@Linuxhelp ~]# cat /etc/os-release
NAME="Oracle Linux Server"
VERSION="9.2"
ID="ol"
ID_LIKE="fedora"
VARIANT="Server"
VARIANT_ID="server"
VERSION_ID="9.2"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Oracle Linux Server 9.2"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:oracle:linux:9:2:server"
HOME_URL="https://linux.oracle.com/"
BUG_REPORT_URL="https://github.com/oracle/oracle-linux"
ORACLE_BUGZILLA_PRODUCT="Oracle Linux 9"
ORACLE_BUGZILLA_PRODUCT_VERSION=9.2
ORACLE_SUPPORT_PRODUCT="Oracle Linux"
ORACLE_SUPPORT_PRODUCT_VERSION=9.2
Step 2: Check the status of the csf and lfd services by using the below command
[root@Linuxhelp ~]# systemctl status csf lfd
● csf.service - ConfigServer Firewall & Security - csf
Loaded: loaded (/usr/lib/systemd/system/csf.service; enabled; preset: disabled)
Active: active (exited) since Thu 2023-11-02 10:20:08 IST; 5 days ago
Main PID: 10199 (code=exited, status=0/SUCCESS)
CPU: 1.901s
Nov 02 10:20:08 Linuxhelp csf[10199]: ACCEPT all opt in * out lo ::/0 -> ::/0
Nov 02 10:20:08 Linuxhelp csf[10199]: LOGDROPOUT all opt in * out !lo ::/0 -> ::/0
Nov 02 10:20:08 Linuxhelp csf[10199]: LOGDROPIN all opt in !lo out * ::/0 -> ::/0
Nov 02 10:20:08 Linuxhelp csf[10199]: csf: FASTSTART loading DNS (IPv4)
Nov 02 10:20:08 Linuxhelp csf[10199]: csf: FASTSTART loading DNS (IPv6)
Nov 02 10:20:08 Linuxhelp csf[10199]: LOCALOUTPUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
Nov 02 10:20:08 Linuxhelp csf[10199]: LOCALINPUT all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
Nov 02 10:20:08 Linuxhelp csf[10199]: LOCALOUTPUT all opt in * out !lo ::/0 -> ::/0
Nov 02 10:20:08 Linuxhelp csf[10199]: LOCALINPUT all opt in !lo out * ::/0 -> ::/0
Nov 02 10:20:08 Linuxhelp systemd[1]: Finished ConfigServer Firewall & Security - csf.
● lfd.service - ConfigServer Firewall & Security - lfd
Loaded: loaded (/usr/lib/systemd/system/lfd.service; enabled; preset: disabled)
Active: active (running) since Thu 2023-11-02 10:20:09 IST; 5 days ago
Main PID: 10371 (lfd - sleeping)
Tasks: 1 (limit: 22877)
Memory: 262.7M
CPU: 1min 19.538s
CGroup: /system.slice/lfd.service
└─10371 "lfd - sleeping"
Nov 02 10:20:08 Linuxhelp systemd[1]: Starting ConfigServer Firewall & Security - lfd...
Nov 02 10:20:09 Linuxhelp systemd[1]: Started ConfigServer Firewall & Security - lfd.
Step 3: Allow the domains by using reverse DNS lookup for that we need to open csf.dynamin file by using the below command
[root@Linuxhelp ~]# vim /etc/csf/csf.dyndns
Here add the domain that we want to whitelist, one per line
google.com
Step 4: Edit the CSF configuration file to set the DYNDNS value by using the below command
[root@Linuxhelp ~]# vim /etc/csf/csf.conf
Here set the value as per the need
DYNDNS = "600"
Save the file and exit.
Step 5: To apply changes restart the CSF by using the below command.
[root@Linuxhelp ~]# csf -r
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `LOCALINPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
csf: FASTSTART loading DROP no logging (IPv4)
csf: FASTSTART loading DROP no logging (IPv6)
LOG tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *TCP_IN Blocked* "
LOG tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *TCP_OUT Blocked* "
"Firewall: *ICMP6OUT Blocked* "
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
INVALID tcp opt in * out !lo ::/0 -> ::/0
ACCEPT ipv6-icmp opt in !lo out * ::/0 -> ::/0
ACCEPT ipv6-icmp opt in * out !lo ::/0 -> ::/0
ACCEPT all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all opt in !lo out * ::/0 -> ::/0 ctstate RELATED,ESTABLISHED
ACCEPT all opt in * out !lo ::/0 -> ::/0 ctstate RELATED,ESTABLISHED
csf: FASTSTART loading TCP_IN (IPv4)
csf: FASTSTART loading TCP6_IN (IPv6)
csf: FASTSTART loading TCP_OUT (IPv4)
csf: FASTSTART loading DNS (IPv4)
csf: FASTSTART loading DNS (IPv6)
LOCALOUTPUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
LOCALINPUT all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
LOCALOUTPUT all opt in * out !lo ::/0 -> ::/0
LOCALINPUT all opt in !lo out * ::/0 -> ::/0
*WARNING* Binary location for [SENDMAIL] [/usr/sbin/sendmail] in /etc/csf/csf.conf is either incorrect, is not installed or is not executable
*WARNING* Missing or incorrect binary locations will break csf and lfd functionality
*WARNING* RESTRICT_SYSLOG is disabled. See SECURITY WARNING in /etc/csf/csf.conf.
Step 6: Restart the CSF and IFD services by using the below command.
[root@Linuxhelp ~]# systemctl restart csf lfd
Now, CSF will check for IP changes for the domains listed in the /etc/csf.dyndns file every 600 seconds. If the IP address has changed, iptables will be updated to allow traffic from the new IP address.
Step 7: Use CSF advanced allow/deny filters to allow connections on port from the domain for that open csf.dyndns file by using the below command.
[root@Linuxhelp ~]# vim /etc/csf/csf.dyndns
tcp|in|d=3306|s=google.com
Save the file and exit.
This filter will only allow connections on port 3306 from the IP address that resolves to google.com. If the IP address of google.com changes, the filter will be updated to allow traffic from the new IP address.
Step 8: Restart the CSF by using the below command.
[root@Linuxhelp ~]# csf -r
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWDYNIN'
Flushing chain `ALLOWDYNOUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
Flushing chain `LOCALINPUT'
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
csf: FASTSTART loading DROP no logging (IPv4)
csf: FASTSTART loading DROP no logging (IPv6)
LOG tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *TCP_IN Blocked* "
LOG tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *TCP_OUT Blocked* "
ACCEPT ipv6-icmp opt in * out !lo ::/0 -> ::/0
ACCEPT all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all opt in !lo out * ::/0 -> ::/0 ctstate RELATED,ESTABLISHED
ACCEPT all opt in * out !lo ::/0 -> ::/0 ctstate RELATED,ESTABLISHED
csf: FASTSTART loading TCP_IN (IPv4)
csf: FASTSTART loading TCP6_IN (IPv6)
csf: FASTSTART loading TCP_OUT (IPv4)
csf: FASTSTART loading TCP6_OUT (IPv6)
csf: FASTSTART loading UDP_IN (IPv4)
csf: FASTSTART loading UDP6_IN (IPv6)
csf: FASTSTART loading UDP_OUT (IPv4)
csf: FASTSTART loading UDP6_OUT (IPv6)
LOGDROPOUT all opt in * out !lo ::/0 -> ::/0
LOGDROPIN all opt in !lo out * ::/0 -> ::/0
csf: FASTSTART loading DNS (IPv4)
csf: FASTSTART loading DNS (IPv6)
LOCALOUTPUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
LOCALINPUT all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
LOCALOUTPUT all opt in * out !lo ::/0 -> ::/0
LOCALINPUT all opt in !lo out * ::/0 -> ::/0
*WARNING* Binary location for [SENDMAIL] [/usr/sbin/sendmail] in /etc/csf/csf.conf is either incorrect, is not installed or is not executable
*WARNING* Missing or incorrect binary locations will break csf and lfd functionality
*WARNING* RESTRICT_SYSLOG is disabled. See SECURITY WARNING in /etc/csf/csf.conf.
Step 9: Restart the CSF and IFD services by using the below command.
[root@Linuxhelp ~]# systemctl restart csf lfd
Conclusion
We have reached the end of this article. In this guide, we have walked you through the steps required to to allow domains by reverse DNS lookup in CSF on Oracle Linux 9.2. Your feedback is much welcome.
Comments ( 0 )
No comments available