How to install and configure CSF (CONFIGSERVER FIREWALL) on CentOS7 64bit

Introduction

ConfigServer Firewall, also known as CSF, is a firewall configuration script created to provide better security for your server while giving you an easy to use, advanced interface for managing your firewall settings. CSF configures your server’s firewall to lock down public access to services and only allow certain connections, such as logging in to FTP, checking your email, or loading your websites.

This tutorial is done on a Centos7 64bit server for web services. All the succeeding commands should be executed with root permissions by logging in as root. The server that I have is configured for IPV4, if your server is configured for IPV6 you should protect both IPV4 & IPV6 at the same time.

Features

Some of the features CSF can provide are:

Courier imap, Dovecot, uw-imap, Kerio
openSSH
cPanel, WHM, Webmail (cPanel servers only)
Pure-ftpd, vsftpd, Proftpd
Password protected web pages (htpasswd)
Mod_security failures (v1 and v2)
Exim SMTP AUTH
Custom login failures with separate log file and regular expression matching
POP3/IMAP login tracking to enforce logins per hour
SSH login notificatio

Allow Dynamic DNS IP addresses - always allow your IP address even if it changes whenever you connect to the internet
SYN Flood protection
Ping of death protection
Port Scan tracking and blocking

...lots more! More info can be found on their official page: https://configserver.com/cp/csf.html

Preqesuites

We will need the following to be able to successfully setup CSF:

- CentOS 7 x64 VPS server
- Root Access to the server
- SSH client ( You can use PuTTY if you use Windows or your preferred terminal in case you are using Linux 😎 )

If you have ready the above tools, we can now start setting up CSF.  Please follow the guide carefully and remember, you can always copy and paste the commands below for ease of installation and configuration.

Installing CSF

To install CSF, we need first to update the packages:

~$ sudo yum update

Install the dependencies:

~$ sudo yum install wget vim perl-libwww-perl.noarch perl-Time-HiRes
~$ cd /usr/src/
~$ wget https://download.configserver.com/csf.tgz

Extract the .tar file and enter the folder:

~$ tar -xzf csf.tgz
~$ cd csf
~$ sh install.sh

If everything is installed properly you should get the following information:

Don't forget to:
1. Configure the following options in the csf configuration to suite your server: TCP_*, UDP_*
2. Restart csf and lfd
3. Set TESTING to 0 once you're happy with the firewall, lfd will not run until you do so

Adding current SSH session IP address to the csf whitelist in csf.allow:
Adding 58.42.10.23 to csf.allow only while in TESTING mode (not iptables ACCEPT)
*WARNING* TESTING mode is enabled - do not forget to disable it in the configuration

Installation Completed

Now we will check if CSF is functioning properly on the server. We will do a test to verify it.

~$ cd /usr/local/csf/bin/
~$ perl csftest.pl

If you see the result as it's shown below then CSF is functioning without any issue on your server. Hooray!

Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

RESULT: csf should function on this server

Configuring CSF

CentOS7 has a built in firewall called firewalld. We need to stop and disable it before activating CSF.

You can run the commands as shown below to stop the service:

~$ systemctl stop firewalld
~$ systemctl disable firewalld

Then we shall edit the CSF configuration file to change from TESTING to PRODUCTION mode.

Go to the path "/etc/csf/" and edit the file "csf.conf".

~$ cd /etc/csf
~$ vi csf.conf

Change TESTING to 0.

TESTING = "0"

Save and exit the file.

You can now run CSF and LFD running the commands down below:

~$ systemctl start csf
~$ systemctl start lfd

Then enable CSF and LFD to be started during boot.

~$ systemctl enable csf
~$ systemctl enable lfd

Basic CSF commands

To see list of rules:

csf -l

To restart CSF:

csf -r

Allowing an ip in csf.allow:

csf -a 105.90.20.5

Will output the following response from CSF:

Adding 105.90.20.5 to csf.allow and iptables ACCEPT...
ACCEPT all opt -- in !lo out * 105.90.20.5 -> 0.0.0.0/0
ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 105.90.20.5
You have new mail in /var/spool/mail/root

Removing an ip from csf.allow:

csf -ar 105.90.20.5

Will result in:

Removing rule...
ACCEPT all opt -- in !lo out * 105.90.20.5 -> 0.0.0.0/0
ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 105.90.20.5

Denying an ip and adding it to csf.deny:

csf -d 105.90.20.5

Will result in:

Adding 105.90.20.5 to csf.deny and iptables DROP...
DROP all opt -- in !lo out * 105.90.20.5 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 105.90.20.5
You have new mail in /var/spool/mail/root

Removing an ip from csf.deny:

csf -dr 105.90.20.5

Results in:

Removing rule...
DROP all opt -- in !lo out * 105.90.20.5 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 105.90.20.5

Remove all entries in csf.deny:

csf -df

Will output:

csf: all entries removed from csf.deny

Advanced CSF Setup

Let's hop back to the CSF configuration file:

~$ cd /etc/csf/
~$ vi csf.conf

Blocking or allowing only certain countries from connecting to your server by entering the country code in CC_DENY or CC_ALLOW.

CC_DENY= "BZ,CN,US"
CC_ALLOW = "ID,PH,FR"

 

Limit the number of IP's kept in the /etc/csf/csf.deny file.

DENY_IP_LIMIT = "50"

Enable SYN Flood Protection. This option configures iptables to offer some protection from tcp SYN packet DOS attempts.

SYNFLOOD = "1"
SYNFLOOD_RATE = "100/s"
SYNFLOOD_BURST = "150"

Port Flood Protection. This option configures iptables to offer protection from DOS attacks against specific ports.

PORTFLOOD = 22;tcp;5;300,80;tcp;20;1

Means: 5 connections per IP-address per 300 seconds to the ssh server; and 20 connections per IP-address per second to the httpd server

This option allows access from the following countries to specific ports listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP.

CC_ALLOW_PORTS = "QA, PH, SA, KG"
CC_ALLOW_PORTS_TCP = "21,22"

This option denies access from the following countries to specific ports listed in CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP

CC_DENY_PORTS = "CN"
CC_DENY_PORTS_TCP = "22, 327"

Don't Block IP addresses that are in the csf.allow files.

IGNORE_ALLOW = "1"

Allow Incoming and Outgoing ICMP.

ICMP_IN  = "1"
ICMP_OUT = "1"

Send the SU and SSH Login log by Email.

LF_SSH_EMAIL_ALERT = "1"
LF_SU_EMAIL_ALERT = "1"
LF_ALERT_TO = "[email protected]"

Leave a Comment