How to Install and Configure CSF

As a firewall application suite designed for Linux servers, Config Server Firewall ( CSF ) is a Login/Intrusion Detection that’s effective for such applications as SSH, Pop3, IMAP, SMTP and others.

CSF will recognize when a user is signing into the server through SSH and send you an alert if they attempt to utilize the “su” command to attain higher privileges on the server.

Another key function of CSF is that it will check for failed login authentications on mail servers (IMAP, Exim, uw-imap, Dovecot, Kerio), Ftp servers (Pure-ftpd, Proftpd, vsftpd), OpenSSH servers, and Plesk & cPanel servers for replacing software such as fail2ban.

CSF is a solid security solution for server hosting, and it can be integrated easily into Plesk and WHM/cPanel’s user interface.

Steps to follow:

Step One – Install CSF Dependencies

As CSF is based on Perl, you’ll need to install this on our server to begin. You should have wget for downloading the CSF installer as well as vim (or an editor of your choosing) to make changes to the CSF configuration file.

When ready, you should install the packages using the following command:

yum install wget vim perl-libwww-perl.noarch perl-Time-HiRes

Step Two – CSF Installation

Navigate to the “/usr/src/” directory to download CSF using this wget command:

cd /usr/src/
wget https://download.configserver.com/csf.tgz

Extract the tar.gz file and head to the CSF directory. Then, install the tar.gz file:

tar -xzf csf.tgz
cd csf
sh install.sh

If this has gone smoothly, you’ll be presented with a message stating that the CSF installation has been completed. Next, check that CSG actually works as required on this server. How? Make your way to the “/usr/local/csf/bin/” directory. Then, you’ll need to run “csftest.pl”, like so:

cd /usr/local/csf/bin/
perl csftest.pl

You’ll know that CSF is operating on your server with no issues if you see the following response:

RESULT: csf should function on this server

Step Three – Configuration of CSF

There’s one thing you should know before you dive into the process of configuring CSF: CentOS 7’s default firewall application (“firewalld”) must be stopped and removed from the startup.

To stop it:

systemctl stop firewalld

To disable and remove firewalld from the startup:

systemctl disable firewalld

Next, head to the CSF Configuration directory “/etc/csf/” and change the file “csf.conf” using the vim editor:

cd /etc/csf/
vim csf.conf

To apply the CSF firewall configuration, change line 11 “TESTING” to “0”.

TESTING = “0”

CSF enables traffic (incoming and outgoing) for the SSH standard port 22 by default. If you choose to utilize an alternative SSH port, add your port of choice to the configuration in line 139 “TCP_IN”.

Next, start CSF and LFD with the following command:

systemctl start csf
systemctl start lfd

Set up the csf and lfd services to start when booting:

systemctl enable csf
systemctl enable lfd

Now, you’ll see the CSF list default rules with command:

csf -l

Step Four – Basic CSF Commands

1. Starting the CSF firewall (enabling firewall rules):

csf -s

2. Flushing/stopping firewall rules.

csf -f

3. Reloading firewall rules.

csf -r

4. To allow an IP and add it to csf.allow.

csf -a 192.168.1.109

Here are the results:

Adding 192.168.1.109 to csf.allow and iptables ACCEPT...
ACCEPT all opt -- in !lo out * 192.168.1.109 -> 0.0.0.0/0
ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.1.109

5. Removal and deletion of an IP from csf.allow.

csf -ar 192.168.1.109

Here are the results:

Removing rule...
ACCEPT all opt -- in !lo out * 192.168.1.109 -> 0.0.0.0/0
ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.1.109

6. Denial of an IP and adding to csf.deny:

csf -d 192.168.1.109

Here are the results:

Adding 192.168.1.109 to csf.deny and iptables DROP...
DROP all opt -- in !lo out * 192.168.1.109 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.1.109

7. Removal and deletion of an IP from csf.deny.

csf -dr 192.168.1.109

Results:

Removing rule...
DROP all opt -- in !lo out * 192.168.1.109 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.1.109

8. Removal and unblocking every entry from csf.deny.

csf -df

Results:

DROP all opt -- in !lo out * 192.168.1.110 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.1.110
DROP all opt -- in !lo out * 192.168.1.111 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.1.111
csf: all entries removed from csf.deny

9. Searching for a pattern match on iptables (such as CIDR, IP, Port Number)

csf -g 192.168.1.110

Step Five – Advanced Configuration

Want to configure as and when you need to? Check out these CSF tweaks.

Go back to the csf configuration directory and change the csf.conf configuration file like so:

cd /etc/csf/
vim csf.conf

1. Non-blocking of IP addresses in your csf.allow files:

By default, LFD will block IPs under csf.allow files. But if you’re looking to make sure that a certain IP in csf.allow will never be blocked by LFD, navigate to the line 272 and edit “IGNORE_ALLOW” to “1”.

This can be helpful when you use a static IP at work or home and would like to make sure that the internet server or firewall never blocks it.

IGNORE_ALLOW = "1"

2. Enable incoming and outgoing ICMP

Head to the line 152 for incoming ping/ICMP:

ICMP_IN = "1"

And for outgoing ping ping/ICMP, go to line 159:

ICMP_OUT = "1"

3. Blocking specific countries

CSF gives you the option to deny or allow access to certain countries, through the CIDR (Country Code).

How? Go to line 836 and add the codes of those countries you want to allow or deny:

CC_DENY = "CN,UK,US"
CC_ALLOW = "ID,MY,DE"

4. Emailing the Su and SSH Login log

Another trick you can try is setting an address that LFD can use for sending alert emails about “SSH login” events and occasions when users run the “su” command.

To do this, find the line 1069 and edit the value to “1”:

LF_SSH_EMAIL_ALERT = "1"

LF_SU_EMAIL_ALERT = "1"

Input the email address you would like to use for this in line 588:

LF_ALERT_TO = "[email protected]"

Looking for extra changes you can make? Take a look at the options in the “/etc/csf/csf.conf” configuration files.

Conclusion

CSF is a valuable application-based firewall for iptables available Linux servers, offering a number of features. It is supported by Plesk, cPanel/WHM, DirectAdmin and Webmin.

Fortunately, CSF installation and configuration is simple, and it’s easy to use on the server, so it has the power to make security management much more efficient for sysadmins.

No comment yet, add your voice below!

Add a Comment

Your email address will not be published. Required fields are marked *

GET LATEST NEWS AND TIPS

  • Yes, please, I agree to receiving my personal Plesk Newsletter! WebPros International GmbH and other WebPros group companies may store and process the data I provide for the purpose of delivering the newsletter according to the WebPros Privacy Policy. In order to tailor its offerings to me, Plesk may further use additional information like usage and behavior data (Profiling). I can unsubscribe from the newsletter at any time by sending an email to [email protected] or use the unsubscribe link in any of the newsletters.

  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden

Related Posts

Knowledge Base