fbpx

Category: Servers

Debian 10, Unbound DNS Filter dan CSF Firewall

Debian 10 Buster – Unbound Filter dan CSF Firewall
Install unbound DNS

apt install unbound python-unbound ca-certificates dnsutils wget

 

Buat direktori zones dalam /etc/unbound

mkdir -p /etc/unbound/zones

 

Download/Copy paste script dan rubah permission

wget https://raw.githubusercontent.com/anantho/Unbound-RPZ-CSF/master/usr/local/bin/ads_block.sh -O /usr/local/bin/ads_block.sh

wget https://raw.githubusercontent.com/anantho/Unbound-RPZ-CSF/master/usr/local/bin/porn_block.sh -O /usr/local/bin/porn_block.sh

wget https://raw.githubusercontent.com/anantho/Unbound-RPZ-CSF/master/usr/local/bin/update_named.sh -O /usr/local/bin/update_named.sh

chmod +x /usr/local/bin/ads_block.sh

chmod +x /usr/local/bin/porn_block.sh

chmod +x /usr/local/bin/update_named.sh

 

Jalankan script sebelum menambahkan crontab schedule

sh /usr/local/bin/ads_block.sh

sh /usr/local/bin/porn_block.sh

sh /usr/local/bin/update_named.sh

 

Tambahkan schedule pada crontab, ketik “crontab -e” dan masukkan yang di bawah

@monthly /usr/local/bin/update_named.sh #update root.hints

@weekly /usr/local/bin/ads-block.sh #update ads & malware rpz blocking list

@weekly /usr/local/bin/porn-block.sh #update porn rpz blocking list

 

Download atau buat script config unbound di dalam /etc/unbound/unbound.conf.d/

wget https://raw.githubusercontent.com/anantho/Unbound-RPZ-CSF/master/unbound/unbound.conf.d/Unblock.conf -O /etc/unbound/unbound.conf.d/filter.conf

wget https://github.com/anantho/Unbound-RPZ-CSF/blob/master/unbound/unbound.conf.d/remote-control.conf -O /etc/unbound/unbound.conf.d/remote-control.conf

wget https://raw.githubusercontent.com/anantho/Unbound-RPZ-CSF/master/unbound/unbound.conf.d/rpz.conf -O /etc/unbound/unbound.conf.d/rpz.conf

Note: Sesuaikan config yang ada di filter.conf dengan settingan kalian, terutama bagian access-control.

 

Jalankan service unbound

systemctl restart unbound

Note: Pastikan unbound sudah berjalan.

 

IPTables-persistent dan IPSet-persistent

apt install iptables-persistent ipset-persistent curl

 

Merubah ke IPTables-Legacy, karena Debian 10 defaultnya nftables

update-alternatives –set iptables /usr/sbin/iptables-legacy

update-alternatives –set ip6tables /usr/sbin/ip6tables-legacy

 

Download CSF Firewall

cd /opt/

wget http://download.configserver.com/csf.tgz

tar xzf csf.tgz

 

Installing CSF

cd /opt/csf

sh install.sh

 

Test CSF fuction

perl /usr/local/csf/bin/csftest.pl

 

Config CSF

nano /etc/csf/csf.conf

cari “TCP_IN” dan masukkan port-port yang perlu di open, begitu juga “TCP_OUT”, “UDP_IN” dan “UDP_OUT”. apabila port sudah di masukkan cari “TESTING” dan rubah angka dari “0” jadi “1” untuk masuk mode Testing. Sehingga kita dapat melakukan testing, siapa tahu ada port yg lupa di masukkan. Apabila sudah yakin dengan port yang akan di open, angka pada “TESTING” tidak perlu kita rubah. 

 

Run Service

systemctl enable csf

systemctl enable lfd

systemctl restart csf

systemctl restart lfd

 

NOTE

jangan lupa untuk memasukkan IP whitelist pada /etc/csf/csf.ignore

Read More