{"id":970,"date":"2018-01-08T05:25:28","date_gmt":"2018-01-08T05:25:28","guid":{"rendered":"https:\/\/www.newdelhihosting.co.in\/blog\/?p=970"},"modified":"2024-10-22T10:53:53","modified_gmt":"2024-10-22T10:53:53","slug":"install-and-configure-csfconfing-server-firewall-on-centos-7","status":"publish","type":"post","link":"https:\/\/www.newdelhihosting.co.in\/blog\/install-and-configure-csfconfing-server-firewall-on-centos-7\/","title":{"rendered":"Install and Configure CSF(Confing Server Firewall) on CentOS 7"},"content":{"rendered":"

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Config Server Firewall \/ CSF<\/strong>\u00a0is firewall application suite for Linux servers. CSF is also a Login\/Intrusion Detection for applications like SSH, SMTP, IMAP, Pop3, the “su” command and many more. CSF can e.g. detect when someone is logging into the server via SSH and alarms you when this user tries to use the “su” command on the server to get higher privileges. It also checks for login authentication failures on mail servers (Exim, IMAP, Dovecot, uw-imap, Kerio), OpenSSH servers, Ftp servers (Pure-ftpd, vsftpd, Proftpd), cPanel server to replace software like fail2ban. CSF is a good security solution for hosting servers and can be integrated into the user interface (UI) of WHM\/cPanel, DirectAdmin, and Webmin.<\/p>\n

 <\/p>\n

Step1-Installation of CFS dependencies<\/strong><\/p>\n

CSF is based on\u00a0Perl,<\/em>\u00a0so you need to install Perl on our server first.<\/p>\n

\u00a0#yum install wget perl-libwww-perl.noarch perl-Time-HiRe<\/pre>\n
Step2-Installing CSF.<\/strong><\/p>\n
Go to the “\/user\/src\/” directroy and download CSF with wget command.<\/p>\n
#cd \/usr\/src\/\r\n#wget https:\/\/download.configserver.com\/csf.tgz\r\n<\/pre>\n
Now extract the tar.gz file and go to the csf directory,then install it.<\/p>\n
#tar -xzf csf.tgz\r\n#cd csf\r\n#sh install.sh\r\n<\/pre>\n
You will get the information that CSF installation is completed at the end as below.<\/p>\n
\u2018csf\/configserver.css\u2019 -> \u2018webmin\/csf\/images\/configserver.css\u2019\r\n\u2018csf\/csf-loader.gif\u2019 -> \u2018webmin\/csf\/images\/csf-loader.gif\u2019\r\n\u2018csf\/csf_small.png\u2019 -> \u2018webmin\/csf\/images\/csf_small.png\u2019\r\n\u2018csf\/csf.svg\u2019 -> \u2018webmin\/csf\/images\/csf.svg\u2019\r\n\u2018csf\/jquery.min.js\u2019 -> \u2018webmin\/csf\/images\/jquery.min.js\u2019\r\n\u2018csf\/LICENSE.txt\u2019 -> \u2018webmin\/csf\/images\/LICENSE.txt\u2019\r\n\u2018csf\/loader.gif\u2019 -> \u2018webmin\/csf\/images\/loader.gif\u2019\r\n\u2018\/etc\/csf\/csfwebmin.tgz\u2019 -> \u2018\/usr\/local\/csf\/csfwebmin.tgz\u2019\r\n\r\nInstallation Completed\r\n<\/pre>\n
Now we should check that CSF really works on this server.Go to the “\/usr\/local\/csf\/bin” directroy,and run “csftest.pl”.<\/p>\n
#cd \/usr\/local\/csf\/bin\/\r\n#perl csftest.pl\r\n<\/pre>\n
if you see the test results as,
\n“RESULT:csf should function on this server” then CSF is running without problems on your server.<\/p>\n
[root@newdelhihosting csf]# cd \/usr\/local\/csf\/bin\/\r\n[root@newdelhihosting bin]# perl csftest.pl\r\nTesting ip_tables\/iptable_filter...OK\r\nTesting ipt_LOG...OK\r\nTesting ipt_multiport\/xt_multiport...OK\r\nTesting ipt_REJECT...OK\r\nTesting ipt_state\/xt_state...OK\r\nTesting ipt_limit\/xt_limit...OK\r\nTesting ipt_recent...OK\r\nTesting xt_connlimit...OK\r\nTesting ipt_owner\/xt_owner...OK\r\nTesting iptable_nat\/ipt_REDIRECT...OK\r\nTesting iptable_nat\/ipt_DNAT...OK\r\n\r\nRESULT: csf should function on this server\r\n[root@newdelhihosting bin]#\r\n<\/pre>\n
Step 3-Configure CSF on Centos 7<\/strong><\/p>\n
Before stepping into the CSF configuration process,the first thing we must know is that “CentOS 7” has a default firewall application called “firewalld”. We have to stop firewalld and remove it from the startup.<\/p>\n
Stopping the firewalld and Removing it from the startup:<\/p>\n
#systemctl stop firewalld\r\n#systemctl disable firewalld<\/pre>\n
Now,we can step into the CSF Configuration directroy “\/etc\/csf” and edit the file \u201ccsf.conf\u201d<\/p>\n
#cd \/etc\/csf\/\r\n#nano csf.conf\r\n<\/pre>\n
Change line \u201cTESTING \u201c to \u201c0\u201d for applying the firewall configuration.<\/p>\n
TESTING=\"0\"<\/pre>\n
By default CSF allows incoming and outgoing traffic for the SSH standard port 22, if you use a different SSH port then please add your SSH port to the configuration in line 139 \u201cTCP_IN\u201d.<\/p>\n
Note : Save \u201ccsf.conf\u201d once you configured .<\/p>\n
Now, we can start CSF and LFD.<\/p>\n
#systemctl start csf\r\n#systemctl start lfd\r\n<\/pre>\n
After starting csf and lfd, we need to enable csf and lfd services to be started at boot time.<\/p>\n
#systemctl enable csf\r\n#systemctl enable lfd\r\n<\/pre>\n
Step 4-Advanced Configuration<\/strong><\/p>\n
Here are some tweaks about CSF, so you can configure as you need.<\/p>\n
Back to the csf configuration directory, and edit the csf.conf configuration file<\/p>\n
#nano \/etc\/csf\/csf.conf<\/pre>\n
1. Don\u2019t Block IP addresses that are in the csf.allow files.<\/p>\n
By default lfd also will block an IP under csf.allow files, so if you want that an IP in csf.allow files never get blocked by lfd, then please go to the line 272 and change \u201cIGNORE_ALLOW\u201d to \u201c1\u201d. This is useful when you have a static IP at home or in office premises and want to ensure that your IP never gets blocked by the firewall on your internet server.<\/p>\n
IGNORE_ALLOW=\"1\"<\/pre>\n
2. Allow Incoming and Outgoing ICMP.
\nGo to the line 152 for incoming ping\/ICMP.<\/p>\n
ICMP_IN = \"1\"\r\n\r\n. . .\r\n\r\nICMP_OUT = \"1\"\r\n<\/pre>\n
3.Block Certain Countries<\/p>\n
CSF provide an option to allow and deny access by country using the CIDR (Country Code). Go to line 836 and add the country codes that shall be allowed and denied<\/p>\n
CC_DENY = \"PK,UK,US\"\r\nCC_ALLOW = \"IN,ID,MY,DE\"\r\n<\/pre>\n
4. Send the Su and SSH Login log by Email.
\nYou can set an email address that is used by LFD to send an email about \u201cSSH Login\u201d events and users that run the \u201csu\u201d command, go to the line 1069 and change the value to \u201c1\u201d.<\/p>\n
LF_SSH_EMAIL_ALERT = \"1\"\r\n\r\n...\r\n\r\nLF_SU_EMAIL_ALERT = \"1\"\r\n<\/pre>\n
define the email address you want to use in line 588.<\/p>\n
LF_ALERT_TO = \"yourmail@yourdomain.tld\"<\/pre>\n
If you want more tweaks, read the options in the \u201c\/etc\/csf\/csf.conf\u201d configuration file.<\/p>\n
Once you done the tweaks, save the file and reload the firewall rules with<\/p>\n
#csf -r<\/pre>\n","protected":false},"excerpt":{"rendered":"
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Config Server Firewall \/ CSF\u00a0is firewall application suite for Linux servers. CSF is also a Login\/Intrusion Detection for applications like SSH, SMTP, IMAP, Pop3, the “su” command and many more. CSF can e.g. detect when someone is logging into the server via SSH and alarms you when this user tries to use the “su”…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-970","post","type-post","status-publish","format-standard","hentry","category-plesk"],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/www.newdelhihosting.co.in\/blog\/wp-json\/wp\/v2\/posts\/970"}],"collection":[{"href":"https:\/\/www.newdelhihosting.co.in\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.newdelhihosting.co.in\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.newdelhihosting.co.in\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.newdelhihosting.co.in\/blog\/wp-json\/wp\/v2\/comments?post=970"}],"version-history":[{"count":2,"href":"https:\/\/www.newdelhihosting.co.in\/blog\/wp-json\/wp\/v2\/posts\/970\/revisions"}],"predecessor-version":[{"id":974,"href":"https:\/\/www.newdelhihosting.co.in\/blog\/wp-json\/wp\/v2\/posts\/970\/revisions\/974"}],"wp:attachment":[{"href":"https:\/\/www.newdelhihosting.co.in\/blog\/wp-json\/wp\/v2\/media?parent=970"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.newdelhihosting.co.in\/blog\/wp-json\/wp\/v2\/categories?post=970"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.newdelhihosting.co.in\/blog\/wp-json\/wp\/v2\/tags?post=970"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}