As a firewall application suite designed for Linux servers, Config Server Firewall ( CSF ) is a Login/Intrusion Detection that’s effective for such applications as SSH, Pop3, IMAP, SMTP and others.
CSF will recognize when a user is signing into the server through SSH and send you an alert if they attempt to utilize the “su” command to attain higher privileges on the server.
Another key function of CSF is that it will check for failed login authentications on mail servers (IMAP, Exim, uw-imap, Dovecot, Kerio), Ftp servers (Pure-ftpd, Proftpd, vsftpd), OpenSSH servers, and Plesk & cPanel servers for replacing software such as fail2ban.
CSF is a solid security solution for server hosting, and it can be integrated easily into Plesk and WHM/cPanel’s user interface.
Steps to follow:
Step One – Install CSF Dependencies
As CSF is based on Perl, you’ll need to install this on our server to begin. You should have wget for downloading the CSF installer as well as vim (or an editor of your choosing) to make changes to the CSF configuration file.
When ready, you should install the packages using the following command:
yum install wget vim perl-libwww-perl.noarch perl-Time-HiRes
Step Two – CSF Installation
Navigate to the “/usr/src/” directory to download CSF using this wget command:
cd /usr/src/
wget https://download.configserver.com/csf.tgz
Extract the tar.gz file and head to the CSF directory. Then, install the tar.gz file:
tar -xzf csf.tgz
cd csf
sh install.sh
If this has gone smoothly, you’ll be presented with a message stating that the CSF installation has been completed. Next, check that CSG actually works as required on this server. How? Make your way to the “/usr/local/csf/bin/” directory. Then, you’ll need to run “csftest.pl”, like so:
cd /usr/local/csf/bin/
perl csftest.pl
You’ll know that CSF is operating on your server with no issues if you see the following response:
RESULT: csf should function on this server
Step Three – Configuration of CSF
There’s one thing you should know before you dive into the process of configuring CSF: CentOS 7’s default firewall application (“firewalld”) must be stopped and removed from the startup.
To stop it:
systemctl stop firewalld
To disable and remove firewalld from the startup:
systemctl disable firewalld
Next, head to the CSF Configuration directory “/etc/csf/” and change the file “csf.conf” using the vim editor:
cd /etc/csf/
vim csf.conf
To apply the CSF firewall configuration, change line 11 “TESTING” to “0”.
TESTING = “0”
CSF enables traffic (incoming and outgoing) for the SSH standard port 22 by default. If you choose to utilize an alternative SSH port, add your port of choice to the configuration in line 139 “TCP_IN”.
Next, start CSF and LFD with the following command:
systemctl start csf
systemctl start lfd
Set up the csf and lfd services to start when booting:
systemctl enable csf
systemctl enable lfd
Now, you’ll see the CSF list default rules with command:
csf -l
Step Four – Basic CSF Commands
1. Starting the CSF firewall (enabling firewall rules):
csf -s
2. Flushing/stopping firewall rules.
csf -f
3. Reloading firewall rules.
csf -r
4. To allow an IP and add it to csf.allow.
csf -a 192.168.1.109
Here are the results:
Adding 192.168.1.109 to csf.allow and iptables ACCEPT...
ACCEPT all opt -- in !lo out * 192.168.1.109 -> 0.0.0.0/0
ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.1.109
5. Removal and deletion of an IP from csf.allow.
csf -ar 192.168.1.109
Here are the results:
Removing rule...
ACCEPT all opt -- in !lo out * 192.168.1.109 -> 0.0.0.0/0
ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.1.109
6. Denial of an IP and adding to csf.deny:
csf -d 192.168.1.109
Here are the results:
Adding 192.168.1.109 to csf.deny and iptables DROP...
DROP all opt -- in !lo out * 192.168.1.109 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.1.109
7. Removal and deletion of an IP from csf.deny.
csf -dr 192.168.1.109
Results:
Removing rule...
DROP all opt -- in !lo out * 192.168.1.109 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.1.109
8. Removal and unblocking every entry from csf.deny.
csf -df
Results:
DROP all opt -- in !lo out * 192.168.1.110 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.1.110
DROP all opt -- in !lo out * 192.168.1.111 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.1.111
csf: all entries removed from csf.deny
9. Searching for a pattern match on iptables (such as CIDR, IP, Port Number)
csf -g 192.168.1.110
Step Five – Advanced Configuration
Want to configure as and when you need to? Check out these CSF tweaks.
Go back to the csf configuration directory and change the csf.conf configuration file like so:
cd /etc/csf/
vim csf.conf
1. Non-blocking of IP addresses in your csf.allow files:
By default, LFD will block IPs under csf.allow files. But if you’re looking to make sure that a certain IP in csf.allow will never be blocked by LFD, navigate to the line 272 and edit “IGNORE_ALLOW” to “1”.
This can be helpful when you use a static IP at work or home and would like to make sure that the internet server or firewall never blocks it.
IGNORE_ALLOW = "1"
2. Enable incoming and outgoing ICMP
Head to the line 152 for incoming ping/ICMP:
ICMP_IN = "1"
And for outgoing ping ping/ICMP, go to line 159:
ICMP_OUT = "1"
3. Blocking specific countries
CSF gives you the option to deny or allow access to certain countries, through the CIDR (Country Code).
How? Go to line 836 and add the codes of those countries you want to allow or deny:
CC_DENY = "CN,UK,US"
CC_ALLOW = "ID,MY,DE"
4. Emailing the Su and SSH Login log
Another trick you can try is setting an address that LFD can use for sending alert emails about “SSH login” events and occasions when users run the “su” command.
To do this, find the line 1069 and edit the value to “1”:
LF_SSH_EMAIL_ALERT = "1"
… LF_SU_EMAIL_ALERT = "1"
Input the email address you would like to use for this in line 588:
LF_ALERT_TO = "[email protected]"
Looking for extra changes you can make? Take a look at the options in the “/etc/csf/csf.conf” configuration files.
Conclusion
CSF is a valuable application-based firewall for iptables available Linux servers, offering a number of features. It is supported by Plesk, cPanel/WHM, DirectAdmin and Webmin.
Fortunately, CSF installation and configuration is simple, and it’s easy to use on the server, so it has the power to make security management much more efficient for sysadmins.
No comment yet, add your voice below!