Config Server Firewall / CSF is firewall application suite for Linux servers. CSF is also a Login/Intrusion Detection for applications like SSH, SMTP, IMAP, Pop3, the “su” command and many more. CSF can e.g. detect when someone is logging into the server via SSH and alarms you when this user tries to use the “su” command on the server to get higher privileges. It also checks for login authentication failures on mail servers (Exim, IMAP, Dovecot, uw-imap, Kerio), OpenSSH servers, Ftp servers (Pure-ftpd, vsftpd, Proftpd), cPanel server to replace software like fail2ban. CSF is a good security solution for hosting servers and can be integrated into the user interface (UI) of WHM/cPanel, DirectAdmin, and Webmin.
Step1-Installation of CFS dependencies
CSF is based on Perl, so you need to install Perl on our server first.
#yum install wget perl-libwww-perl.noarch perl-Time-HiRe
Go to the “/user/src/” directroy and download CSF with wget command.
#cd /usr/src/ #wget https://download.configserver.com/csf.tgz
Now extract the tar.gz file and go to the csf directory,then install it.
#tar -xzf csf.tgz #cd csf #sh install.sh
You will get the information that CSF installation is completed at the end as below.
‘csf/configserver.css’ -> ‘webmin/csf/images/configserver.css’ ‘csf/csf-loader.gif’ -> ‘webmin/csf/images/csf-loader.gif’ ‘csf/csf_small.png’ -> ‘webmin/csf/images/csf_small.png’ ‘csf/csf.svg’ -> ‘webmin/csf/images/csf.svg’ ‘csf/jquery.min.js’ -> ‘webmin/csf/images/jquery.min.js’ ‘csf/LICENSE.txt’ -> ‘webmin/csf/images/LICENSE.txt’ ‘csf/loader.gif’ -> ‘webmin/csf/images/loader.gif’ ‘/etc/csf/csfwebmin.tgz’ -> ‘/usr/local/csf/csfwebmin.tgz’ Installation Completed
Now we should check that CSF really works on this server.Go to the “/usr/local/csf/bin” directroy,and run “csftest.pl”.
#cd /usr/local/csf/bin/ #perl csftest.pl
if you see the test results as,
“RESULT:csf should function on this server” then CSF is running without problems on your server.
[root@newdelhihosting csf]# cd /usr/local/csf/bin/ [root@newdelhihosting bin]# perl csftest.pl Testing ip_tables/iptable_filter...OK Testing ipt_LOG...OK Testing ipt_multiport/xt_multiport...OK Testing ipt_REJECT...OK Testing ipt_state/xt_state...OK Testing ipt_limit/xt_limit...OK Testing ipt_recent...OK Testing xt_connlimit...OK Testing ipt_owner/xt_owner...OK Testing iptable_nat/ipt_REDIRECT...OK Testing iptable_nat/ipt_DNAT...OK RESULT: csf should function on this server [root@newdelhihosting bin]#
Step 3-Configure CSF on Centos 7
Before stepping into the CSF configuration process,the first thing we must know is that “CentOS 7” has a default firewall application called “firewalld”. We have to stop firewalld and remove it from the startup.
Stopping the firewalld and Removing it from the startup:
#systemctl stop firewalld #systemctl disable firewalld
Now,we can step into the CSF Configuration directroy “/etc/csf” and edit the file “csf.conf”
#cd /etc/csf/ #nano csf.conf
Change line “TESTING “ to “0” for applying the firewall configuration.
By default CSF allows incoming and outgoing traffic for the SSH standard port 22, if you use a different SSH port then please add your SSH port to the configuration in line 139 “TCP_IN”.
Note : Save “csf.conf” once you configured .
Now, we can start CSF and LFD.
#systemctl start csf #systemctl start lfd
After starting csf and lfd, we need to enable csf and lfd services to be started at boot time.
#systemctl enable csf #systemctl enable lfd
Step 4-Advanced Configuration
Here are some tweaks about CSF, so you can configure as you need.
Back to the csf configuration directory, and edit the csf.conf configuration file
1. Don’t Block IP addresses that are in the csf.allow files.
By default lfd also will block an IP under csf.allow files, so if you want that an IP in csf.allow files never get blocked by lfd, then please go to the line 272 and change “IGNORE_ALLOW” to “1”. This is useful when you have a static IP at home or in office premises and want to ensure that your IP never gets blocked by the firewall on your internet server.
2. Allow Incoming and Outgoing ICMP.
Go to the line 152 for incoming ping/ICMP.
ICMP_IN = "1" . . . ICMP_OUT = "1"
3.Block Certain Countries
CSF provide an option to allow and deny access by country using the CIDR (Country Code). Go to line 836 and add the country codes that shall be allowed and denied
CC_DENY = "PK,UK,US" CC_ALLOW = "IN,ID,MY,DE"
4. Send the Su and SSH Login log by Email.
You can set an email address that is used by LFD to send an email about “SSH Login” events and users that run the “su” command, go to the line 1069 and change the value to “1”.
LF_SSH_EMAIL_ALERT = "1" ... LF_SU_EMAIL_ALERT = "1"
define the email address you want to use in line 588.
LF_ALERT_TO = "firstname.lastname@example.org"
If you want more tweaks, read the options in the “/etc/csf/csf.conf” configuration file.
Once you done the tweaks, save the file and reload the firewall rules with