Tutorial Comments FAQ Related Articles

How to Allow Domains by reverse DNS lookup in CSF on Rocky Linux 9.2

7704

To Allow Domains By Reverse DNS Lookup In CSF On Rocky Linux 9.2

Introduction:

ConfigServer Security & Firewall (CSF) is a powerful firewall management tool for Linux servers. It has the ability to allow or deny access to your server based on various criteria, including reverse DNS lookup. Reverse DNS lookup is a method to verify the legitimacy of incoming connections by checking the domain associated with an IP address.

Procedure steps:

Step 1: Check the OS version by using the below command

[root@Linuxhelp ~]# cat /etc/os-release
NAME="Rocky Linux"
VERSION="9.2 (Blue Onyx)"
ID="rocky"
ID_LIKE="rhel centos fedora"
VERSION_ID="9.2"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Rocky Linux 9.2 (Blue Onyx)"
ANSI_COLOR="0;32"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:rocky:rocky:9::baseos"
HOME_URL="https://rockylinux.org/"
BUG_REPORT_URL="https://bugs.rockylinux.org/"
SUPPORT_END="2032-05-31"
ROCKY_SUPPORT_PRODUCT="Rocky-Linux-9"
ROCKY_SUPPORT_PRODUCT_VERSION="9.2"
REDHAT_SUPPORT_PRODUCT="Rocky Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.2"

Step 2: Check the status of the csf and lfd services by using the below command

[root@Linuxhelp ~]# systemctl status csf lfd
● csf.service - ConfigServer Firewall & Security - csf
     Loaded: loaded (/usr/lib/systemd/system/csf.service; enabled; preset: disabled)
     Active: active (exited) since Thu 2023-11-02 10:20:08 IST; 5 days ago
   Main PID: 10199 (code=exited, status=0/SUCCESS)
        CPU: 1.901s

Nov 02 10:20:08 Linuxhelp csf[10199]: ACCEPT  all opt    in * out lo  ::/0  -> ::/0
Nov 02 10:20:08 Linuxhelp csf[10199]: LOGDROPOUT  all opt    in * out !lo  ::/0  -> ::/0
Nov 02 10:20:08 Linuxhelp csf[10199]: LOGDROPIN  all opt    in !lo out *  ::/0  -> ::/0
Nov 02 10:20:08 Linuxhelp csf[10199]: csf: FASTSTART loading DNS (IPv4)
Nov 02 10:20:08 Linuxhelp csf[10199]: csf: FASTSTART loading DNS (IPv6)
Nov 02 10:20:08 Linuxhelp csf[10199]: LOCALOUTPUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0
Nov 02 10:20:08 Linuxhelp csf[10199]: LOCALINPUT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
Nov 02 10:20:08 Linuxhelp csf[10199]: LOCALOUTPUT  all opt    in * out !lo  ::/0  -> ::/0
Nov 02 10:20:08 Linuxhelp csf[10199]: LOCALINPUT  all opt    in !lo out *  ::/0  -> ::/0
Nov 02 10:20:08 Linuxhelp systemd[1]: Finished ConfigServer Firewall & Security - csf.

● lfd.service - ConfigServer Firewall & Security - lfd
     Loaded: loaded (/usr/lib/systemd/system/lfd.service; enabled; preset: disabled)
     Active: active (running) since Thu 2023-11-02 10:20:09 IST; 5 days ago
   Main PID: 10371 (lfd - sleeping)
      Tasks: 1 (limit: 22877)
     Memory: 262.7M
        CPU: 1min 19.538s
     CGroup: /system.slice/lfd.service
             └─10371 "lfd - sleeping"

Nov 02 10:20:08 Linuxhelp systemd[1]: Starting ConfigServer Firewall & Security - lfd...
Nov 02 10:20:09 Linuxhelp systemd[1]: Started ConfigServer Firewall & Security - lfd.

Step 3: Allow the domains by using reverse DNS lookup for that we need to open csf.dynamin file by using the below command

[root@Linuxhelp ~]# vim /etc/csf/csf.dyndns 
Here  add the domain that we want to whitelist, one per line
google.com

Step 4: Edit the CSF configuration file to set the DYNDNS value by using the below command

[root@Linuxhelp ~]# vim /etc/csf/csf.conf 
Here set the value as per the need
DYNDNS = "600"
Save the file and exit.

Step 5: To apply changes restart the csf by using the below command.

[root@Linuxhelp ~]# csf -r
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `LOCALINPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
csf: FASTSTART loading DROP no logging (IPv4)
csf: FASTSTART loading DROP no logging (IPv6)
LOG  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *TCP_IN Blocked* "
LOG  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *TCP_OUT Blocked* "
"Firewall: *ICMP6OUT Blocked* "
DROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  
INVALID  tcp opt    in * out !lo  ::/0  -> ::/0  
ACCEPT  ipv6-icmp opt    in !lo out *  ::/0  -> ::/0  
ACCEPT  ipv6-icmp opt    in * out !lo  ::/0  -> ::/0  
ACCEPT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0   ctstate RELATED,ESTABLISHED
ACCEPT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0   ctstate RELATED,ESTABLISHED
ACCEPT  all opt    in !lo out *  ::/0  -> ::/0   ctstate RELATED,ESTABLISHED
ACCEPT  all opt    in * out !lo  ::/0  -> ::/0   ctstate RELATED,ESTABLISHED
csf: FASTSTART loading TCP_IN (IPv4)
csf: FASTSTART loading TCP6_IN (IPv6)
csf: FASTSTART loading TCP_OUT (IPv4)
csf: FASTSTART loading DNS (IPv4)
csf: FASTSTART loading DNS (IPv6)
LOCALOUTPUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  
LOCALINPUT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  
LOCALOUTPUT  all opt    in * out !lo  ::/0  -> ::/0  
LOCALINPUT  all opt    in !lo out *  ::/0  -> ::/0  
*WARNING* Binary location for [SENDMAIL] [/usr/sbin/sendmail] in /etc/csf/csf.conf is either incorrect, is not installed or is not executable
*WARNING* Missing or incorrect binary locations will break csf and lfd functionality

*WARNING* RESTRICT_SYSLOG is disabled. See SECURITY WARNING in /etc/csf/csf.conf.

Step 6: Restart the csf and lfd services by using the below command.

[root@Linuxhelp ~]# systemctl restart csf lfd
Now, CSF will check for IP changes for the domains listed in the /etc/csf.dyndns file every 600 seconds. If the IP address has changed, iptables will be updated to allow traffic from the new IP address.

Step 7: Use csf advanced allow/deny filters to allow connections on port from the domain for that open csf.dyndns file by using the below command.

[root@Linuxhelp ~]# vim /etc/csf/csf.dyndns 
tcp|in|d=3306|s=google.com

Save the file and exit.

This filter will only allow connections on port 3306 from the IP address that resolves to google.com. If the IP address of google.com changes, the filter will be updated to allow traffic from the new IP address.

Step 8: Restart the CSF by using the below command.

[root@Linuxhelp ~]# csf -r
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWDYNIN'
Flushing chain `ALLOWDYNOUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
Flushing chain `LOCALINPUT'
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
csf: FASTSTART loading DROP no logging (IPv4)
csf: FASTSTART loading DROP no logging (IPv6)
LOG  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *TCP_IN Blocked* "
LOG  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *TCP_OUT Blocked* "
ACCEPT  ipv6-icmp opt    in * out !lo  ::/0  -> ::/0  
ACCEPT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0   ctstate RELATED,ESTABLISHED
ACCEPT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0   ctstate RELATED,ESTABLISHED
ACCEPT  all opt    in !lo out *  ::/0  -> ::/0   ctstate RELATED,ESTABLISHED
ACCEPT  all opt    in * out !lo  ::/0  -> ::/0   ctstate RELATED,ESTABLISHED
csf: FASTSTART loading TCP_IN (IPv4)
csf: FASTSTART loading TCP6_IN (IPv6)
csf: FASTSTART loading TCP_OUT (IPv4)
csf: FASTSTART loading TCP6_OUT (IPv6)
csf: FASTSTART loading UDP_IN (IPv4)
csf: FASTSTART loading UDP6_IN (IPv6)
csf: FASTSTART loading UDP_OUT (IPv4)
csf: FASTSTART loading UDP6_OUT (IPv6)
LOGDROPOUT  all opt    in * out !lo  ::/0  -> ::/0  
LOGDROPIN  all opt    in !lo out *  ::/0  -> ::/0  
csf: FASTSTART loading DNS (IPv4)
csf: FASTSTART loading DNS (IPv6)
LOCALOUTPUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  
LOCALINPUT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  
LOCALOUTPUT  all opt    in * out !lo  ::/0  -> ::/0  
LOCALINPUT  all opt    in !lo out *  ::/0  -> ::/0  
*WARNING* Binary location for [SENDMAIL] [/usr/sbin/sendmail] in /etc/csf/csf.conf is either incorrect, is not installed or is not executable
*WARNING* Missing or incorrect binary locations will break csf and lfd functionality

*WARNING* RESTRICT_SYSLOG is disabled. See SECURITY WARNING in /etc/csf/csf.conf.

Step 9: Restart the CSF and IFD services by using the below command.

[root@Linuxhelp ~]# systemctl restart csf lfd

Conclusion

We have reached the end of this article. In this guide, we have walked you through the steps required to allow Domains by reverse DNS lookup using CSF on Rocky Linux 9.2. Your feedback is much welcome.

Tags:

Author:

Comments ( 0 )

No comments available

Add a comment

Frequently asked questions ( 5 )

Is reverse DNS lookup the only method to secure a server with CSF?

No, CSF provides multiple security features, including packet filtering, connection tracking, and more. Reverse DNS lookup is just one of the many tools available to enhance server security.

Why would I want to allow domains by reverse DNS lookup in CSF?

Allowing domains by reverse DNS lookup in CSF can enhance server security by ensuring that incoming connections are only accepted from trusted domains. This is particularly useful when you want to restrict access to specific services or applications to a predefined list of domains.

How can I troubleshoot issues with reverse DNS lookup in CSF?

If you encounter problems with reverse DNS lookup, you can check your CSF logs for relevant information. Additionally, ensuring that your server's DNS configuration is accurate and up to date can help avoid issues with reverse DNS checks.

Can I allow multiple domains through reverse DNS lookup in CSF?

Yes, you can allow multiple domains by specifying them in the CSF configuration. This allows you to create a list of trusted domains from which incoming connections will be accepted.

Can I use CSF with other firewall solutions or security tools?

While CSF can be used as a standalone firewall, it can also complement other security tools and practices. You can integrate it with other security measures to create a robust security strategy for your server.

Related Forums in How to Allow Domains by reverse DNS lookup in CSF on Rocky Linux 9.2

How to check log for CSF firewall

Jan 2, 2018

DNS server is not working on Centos Web Panel

Dec 29, 2017

How to check bind configuration

Feb 4, 2018

nslookup command not working

Feb 6, 2018

Zentya 6.1 http proxy configuration

Jan 31, 2020

Apt-get update Failed to fetch http://us.archive.ubuntu.com/ubuntu/dists/cosmic/InRelease Temporary failure resolving 'us.archive.ubuntu.com'

Apr 6, 2019

How to block IP in firewalld command

Sep 23, 2017

How to block particular websites in linux bind DNS

Sep 26, 2017

Related News in How to Allow Domains by reverse DNS lookup in CSF on Rocky Linux 9.2

Attackers Target Home Routers with DNS Hijacking

Apr 9, 2019

Despite ISP Opposition, All Major Browsers will Eventually Roll Out DNS-over-HTTPS

Nov 12, 2019

Rank

User

Points

Top Contributers

naveelansari

135850

Top Contributers

ayanbhatti

92510

Top Contributers

hamzaahmed

32150

Top Contributers

linuxhelp

31040

Top Contributers

muhammadali

24500

Can you help David Lopez Guillen ?

Ayuda urgente instale SSL para servidor Opensuse y ahora no funciona tengo servicio web

hola segui este tutorial para tener un certificado ssl y ahora no se ve mi app en la red, espero alguien pueda ayudarme, tengo M9oodle en3.5 en un servidor open suse y ahora no funciona por favor ayuda.

https://www.linuxhelp.com/how-to-create-ssl-certificate-in-opensuse

Related Tutorials in How to Allow Domains by reverse DNS lookup in CSF on Rocky Linux 9.2

Related Tutorials in How to Allow Domains by reverse DNS lookup in CSF on Rocky Linux 9.2

Related Forums in How to Allow Domains by reverse DNS lookup in CSF on Rocky Linux 9.2

Related Forums in How to Allow Domains by reverse DNS lookup in CSF on Rocky Linux 9.2

Related News in How to Allow Domains by reverse DNS lookup in CSF on Rocky Linux 9.2

Related News in How to Allow Domains by reverse DNS lookup in CSF on Rocky Linux 9.2