Debian 10, Unbound DNS Filter dan CSF Firewall
Debian 10 Buster – Unbound Filter dan CSF Firewall
Install unbound DNS
apt install unbound python-unbound ca-certificates dnsutils wget
Buat direktori zones dalam /etc/unbound
mkdir -p /etc/unbound/zones
Download/Copy paste script dan rubah permission
wget https://raw.githubusercontent.com/anantho/Unbound-RPZ-CSF/master/usr/local/bin/ads_block.sh -O /usr/local/bin/ads_block.sh
wget https://raw.githubusercontent.com/anantho/Unbound-RPZ-CSF/master/usr/local/bin/porn_block.sh -O /usr/local/bin/porn_block.sh
wget https://raw.githubusercontent.com/anantho/Unbound-RPZ-CSF/master/usr/local/bin/update_named.sh -O /usr/local/bin/update_named.sh
chmod +x /usr/local/bin/ads_block.sh
chmod +x /usr/local/bin/porn_block.sh
chmod +x /usr/local/bin/update_named.sh
Jalankan script sebelum menambahkan crontab schedule
sh /usr/local/bin/ads_block.sh
sh /usr/local/bin/porn_block.sh
sh /usr/local/bin/update_named.sh
Tambahkan schedule pada crontab, ketik “crontab -e” dan masukkan yang di bawah
@monthly /usr/local/bin/update_named.sh #update root.hints
@weekly /usr/local/bin/ads-block.sh #update ads & malware rpz blocking list
@weekly /usr/local/bin/porn-block.sh #update porn rpz blocking list
Download atau buat script config unbound di dalam /etc/unbound/unbound.conf.d/
wget https://raw.githubusercontent.com/anantho/Unbound-RPZ-CSF/master/unbound/unbound.conf.d/Unblock.conf -O /etc/unbound/unbound.conf.d/filter.conf
wget https://github.com/anantho/Unbound-RPZ-CSF/blob/master/unbound/unbound.conf.d/remote-control.conf -O /etc/unbound/unbound.conf.d/remote-control.conf
wget https://raw.githubusercontent.com/anantho/Unbound-RPZ-CSF/master/unbound/unbound.conf.d/rpz.conf -O /etc/unbound/unbound.conf.d/rpz.conf
Note: Sesuaikan config yang ada di filter.conf dengan settingan kalian, terutama bagian access-control.
Jalankan service unbound
systemctl restart unbound
Note: Pastikan unbound sudah berjalan.
IPTables-persistent dan IPSet-persistent
apt install iptables-persistent ipset-persistent curl
Merubah ke IPTables-Legacy, karena Debian 10 defaultnya nftables
update-alternatives –set iptables /usr/sbin/iptables-legacy
update-alternatives –set ip6tables /usr/sbin/ip6tables-legacy
Download CSF Firewall
cd /opt/
wget http://download.configserver.com/csf.tgz
tar xzf csf.tgz
Installing CSF
cd /opt/csf
sh install.sh
Test CSF fuction
perl /usr/local/csf/bin/csftest.pl
Config CSF
nano /etc/csf/csf.conf
cari “TCP_IN” dan masukkan port-port yang perlu di open, begitu juga “TCP_OUT”, “UDP_IN” dan “UDP_OUT”. apabila port sudah di masukkan cari “TESTING” dan rubah angka dari “0” jadi “1” untuk masuk mode Testing. Sehingga kita dapat melakukan testing, siapa tahu ada port yg lupa di masukkan. Apabila sudah yakin dengan port yang akan di open, angka pada “TESTING” tidak perlu kita rubah.
Run Service
systemctl enable csf
systemctl enable lfd
systemctl restart csf
systemctl restart lfd
NOTE
jangan lupa untuk memasukkan IP whitelist pada /etc/csf/csf.ignore