Install and configure CSF firewall

How to download and install csf firewall on linux/cPanel server.

cd /usr/src
rm -fv csf.tgz
tar -xzf csf.tgz
cd csf

CSF will get install in /etc/csf directory. Once installation is done you need to edit csf.conf file from this directory.

vi /etc/csf/csf.conf

then find keyword TESTING by default testing mode is enabled . When this is enabled csf will turn off automatically after 5 mins. So you need to disable it by setting TESTING to 0.

change line number 11. (If you are using vi editor then hit command vi /etc/csf/csf.conf > ESC key > hit key / > type ^TESTING This will find line starting with word TESTING)

TESTING = “1”  to TESTING = “0”

Then restart csf using command

csf -r

In case you are using cPanel server you will need open FTP passive port range 30000:50000 in TCP_IN section.

Search keyword ^TCP_IN (Line starting with word TCP_IN)

Add FTP passive port range at end of the following line.

Change from 
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,30000:50000"

Restart csf using command

csf -r


If you are getting errors like missing of GNU C / C++ compiler on server. To fix you just need to install with help of Linux package installer like YUM, Apt-get etc.

Installation of GNU C / C++ compiler on CentOS

Use following command

yum install gcc gcc-c++ autoconf automake

Installation of GNU C / C++ compiler on Ubuntu/Debian

Here, you can use apt-get command instead of YUM.

 sudo apt-get install build-essential 

On ubuntu for installing gcc and g++ compilers, you just need to install build-essential package. This will also install GNU make.

build-essential contains a list of packages which are essential for building Ubuntu packages including gcc compiler, make and other required tools.

Find spamming script on cpanel

Here we will see how to trace/find spamming script on cPanel server.

cPanel uses exim as mail server. Path to log file of Exim mail server is /var/log/exim_mainlog. Many cPanel users send out bulk email using php script. This really goes hard to find exact script which is sending out emails but using exim_mainlog, it is possible to trace folder from where script is executed.

Running following command will provide complete folder paths from where script is executed. Also it will provide number of times script executed from that particular folder. Once you find folder you will need to go through files present in that folder (No need to check files from subfolders). If you find any unknow file with email sending code just remove it or disable.

Command to find folder path from where scripts are executed to send out emails.

grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n