CSF Firewall Situation

N

nightstryke

Verified User
Joined
Nov 14, 2015
Messages
32
So has there been a census on what to do about Firewalls with DirectAdmin yet?
I did see that DA updated to v15.00 of CSF as that's the last release, but now that the waytotheweb github is gone, we're kind of SOL with a Firewall Solution with DA unless we can keep using CSF and just configure it not to look for updates of the Firewall right?

I have done some digging and I found someone running this fork.
Has anyone tried this one yet?

https://github.com/Aetherinox/csf-firewall

And there's a website too

https://docs.configserver.dev/

What are everyone's thought on switching to this for updates? Is anyone using this fork?
 
Well i saw the post over there https://forum.directadmin.com/threads/csf-future-on-directadmin-—-where-do-we-stand-6-months-after-the-shutdown.82025/ but no one is actually saying what DirectAdmin or they are doing. I've checked the alternatives listed and the only active ones are Aetherinox's CSF, and Centmin's version of CSF. Sentinel is a no go apparently the dev gave up.

Aetherinox does have install option for DA though.
https://docs.configserver.dev/install/install/?h=directadmin#install-directadmin
 
Even in the times when the CSF/LFD developers were in business, one could have counted 2-3 alternatives to their software. The market is free, so anyone is welcomed here) So you might try the forks and share your experience.
 
zEitEr said:
Even in the times when the CSF/LFD developers were in business, one could have counted 2-3 alternatives to their software. The market is free, so anyone is welcomed here) So you might try the forks and share your experience.
Click to expand...
I'm not keen on being the first guinea pig.
 
Richard G said:
I wonder about that too. This could just as well be spoken about in the other thread which he -did- see.
https://forum.directadmin.com/threads/csf-future-on-directadmin-—-where-do-we-stand-6-months-after-the-shutdown.82025/
No need to start a new one about the same.
Click to expand...
Actually in that thread you're discussing implementation, in this thread I'm asking who's applying any alternatives to their own servers aside from what's already in DirectAdmin. As in that thread you guys are discussing the finer details of how the software works, and not actually what to do with servers actually running the software. I'm not expecting DirectAdmin to take on more work than it needs to, i just want to know if anyone is using a viable alternative that isn't compromised due to the departure of the original CSF dev. If you want to close this thread or move it into the other one that's fine, but I really do think it would help other directadmin server owners to actually have a thread of what to do about this rather than discussing the details of how it works.
 
nightstryke said:
if anyone is using a viable alternative that isn't compromised due to the departure of the original CSF dev.
Click to expand...

Even using the original version of CSF/LFD all the servers were at a risk of being compromised. No guarantees that a download server never gets compromised. No guarantees that once you don't get a backdoor installed with another update of the software.

The only party I would trust here are DirectAdmin developers. Hardly will they actively develop the fork and add new features unfortunately.

If you want guarantees and to sleep well you might better use another solution which is actively developed and supported by a team.

p.s. I'm not very happy with Immunify360 by the way, but I did not test other solutions much as of yet.
 
zEitEr said:
Even using the original version of CSF/LFD all the servers were at a risk of being compromised. No guarantees that a download server never gets compromised. No guarantees that once you don't get a backdoor installed with another update of the software.

The only party I would trust here are DirectAdmin developers. Hardly will they actively develop the fork and add new features unfortunately.

If you want guarantees and to sleep well you might better use another solution which is actively developed and supported by a team.

p.s. I'm not very happy with Immunify360 by the way, but I did not test other solutions much as of yet.
Click to expand...
Well that's the trade off isn't it, we have to make compromises like those who want to run a server and web hosting company but don't want to pay the cPanel price for subpar service and support. But lately it seems like we've been in a downward spiral one piece of bad news after the other and it's not just with DirectAdmin, though I'd say it kind of started with the loss of lifetime licenses with DA, the loss of CentOS, and now the loss of CSF, if you're not seeing the pattern I guess I may be imagining it.
 
The world changes in all aspects and old companies leave the market, new ones come in the game. That's expected. Where is FreeBSD now? I started my journey to the hosting world with DirectAdmin and FreeBSD. So no much regrets about loosing CentOS. Loosing FreeBSD caused more pain actually.

If you're making your mind which CSF/LFD fork to choose, then you should ask yourself a question. What do you want from it? New features? New supported software? Or stable run and good sleep? I would choose the latest. I use CSF fork from DirectAdmin on my own servers and most of my customers still run CSF from DirectAdmin.
 
nightstryke said:
the loss of CentOS, and now the loss of CSF, if you're not seeing the pattern I guess I may be imagining it.
Click to expand...
Just to hook in on this. For these two it's exactly the same in cPanel en they also created an own fork for CSF with no vision at the moment and no real changes in the files. So even with paying a lot more for support and stuff, they are not doing better on this than DA.
 
sysdev said:
Any idea if I'm correct in assuming we're kinda locked-in to csf and maybe only drop in replacements/forks?
Click to expand...

No, directadmin servers are not locked to CSF. You can disable and remove CSF:

Code: 
da build set csf yes
da build remove_csf

then you might use raw iptables or another firewall manager on the server.

The only issue you might have that DirectAdmin BruteForce Manager does not support anything other than CSF. You will need to write a wrapper in this case.
 
zEitEr said:
No, directadmin servers are not locked to CSF. You can disable and remove CSF:

Code: 
da build set csf yes
da build remove_csf

then you might use raw iptables or another firewall manager on the server.

The only issue you might have that DirectAdmin BruteForce Manager does not support anything other than CSF. You will need to write a wrapper in this case.
Click to expand...
Sorry, I meant as in there is no other supported firewall system to choose from and integration of something else is not always trivial. There's always the DIY way and I have done that. It's not the way I prefer :)
csf is way more than just a firewall wrapper, it monitors processes, works with lfd and then some.
 
I believe CSF firewall was donated to the open source community, there are a few projects but I believe the official project can be found here:

github.com

GitHub - Aetherinox/csf-firewall: ConfigServer Security & Firewall (CSF) - Robust linux iptables/nftables firewall & free ipset blocklist service.

ConfigServer Security & Firewall (CSF) - Robust linux iptables/nftables firewall & free ipset blocklist service. - Aetherinox/csf-firewall
github.com github.com

Documentation here:

ConfigServer Firewall - ConfigServer Security & Firewall

docs.configserver.dev docs.configserver.dev
 
sysdev said:
Sorry, I meant as in there is no other supported firewall system to choose
Click to expand...
There is also Fail2ban which also is not really developped anymore. Fail2ban and CSF/LFD where already there a long time ago and we installed that ourselves. CSF had won the "battle" because it was better than Fail2ban. At a certain point DA more or less integrated but it's not a requirement.
You can also choose fail2ban or Imunify360.
Some go back to fail2ban, there are also people who make use of one of the CSF forks which some people started.
 
Richard G said:
There is also Fail2ban which also is not really developped anymore. Fail2ban and CSF/LFD where already there a long time ago and we installed that ourselves. CSF had won the "battle" because it was better than Fail2ban. At a certain point DA more or less integrated but it's not a requirement.
You can also choose fail2ban or Imunify360.
Some go back to fail2ban, there are also people who make use of one of the CSF forks which some people started.
Click to expand...
Yes, but every option in this ballpark is a worse solution and better options are resource hogs you don't want to have running on the same server.
So I get why things need to be complete, lean and sufficient.
But better options are a hassle if you're not used to working with more than a few servers.

Say a kiddo is trying to hack your server01. After a while, his ip gets blocked. But the hackscripts don't care about that, and switch to your next server and simply continue. After 10 servers they have tried everything, maybe got blocked on most of them, but in the end every 'hack' has been tried on your network. This gives a false sense of security. And even if I did everything save, another ip can start all over again.

So, I'm using crowdsec to detect anomalies (and use huge community blocklists) and deploy blocks everywhere at once. Pissing me off on server01 means you're not talking to my subnet for a while.

I'm still looking for a XDR/SIEM solution like e.g. Wazuh. This looks good, but... obviously will need it's own server.

All of this isn't all that hard, but it breaks DA's bfm-csf connection. It would be nice if a block/unblock by csf/BFM would also trigger a hookscript.
 
You must log in or register to reply here.
Back
Top