Install and Configure CSF (ConfigServer Firewall) on Centos7 64bit
Introduction
ConfigServer Firewall, also known as CSF, is a firewall configuration script created to provide better security for your server while giving you an easy to use, advanced interface for managing your firewall settings. CSF configures your serverâs firewall to lock down public access to services and only allow certain connections, such as logging in to FTP, checking your email, or loading your websites.
This tutorial is done on a Centos7 64bit server for web services. All the succeeding commands should be executed with root permissions by logging in as root. The server that I have is configured for IPV4, if your server is configured for IPV6 you should protect both IPV4 & IPV6 at the same time.
Features
Some of the features CSF can provide are:
- Straight-forward SPI iptables firewall script
- Daemon process that checks for login authentication failures for:
- Courier imap, Dovecot, uw-imap, Kerio
- openSSH
- cPanel, WHM, Webmail (cPanel servers only)
- Pure-ftpd, vsftpd, Proftpd
- Mod_security failures (v1 and v2)
- Exim SMTP AUTH
- Custom login failures with separate log file and regular expression matching
- SSH login notification
- Excessive connection blocking
- SU login notification
- Server Security Check
- IDS (Intrusion Detection System)
...and many more.
Prerequisites
We will need the following to be able to successfully setup CSF:
- An CentOS 7 x64 VPS server
- Root Access to the server
- An SSH client (You can download Putty[1] or Bitvise[2] depends on your operating system and liking)
When you have all this ingredients we can now start setting up CSF. Please follow the guide carefully, remember, you can always copy and paste the commands below for ease of installation and configuration.
Installing CSF
To install CSF we will try to update or server first.
sudo yum update
And install the dependencies and CSF itself
sudo yum install wget vim perl-libwww-perl.noarch perl-Time-HiRes
cd /usr/src/
wget https://download.configserver.com/csf.tgz
Extract the .tar file and enter the folder.
tar -xzf csf.tgz
cd csf
sh install.sh
If all is installed properly you should get the following information.
Don't forget to:
1. Configure the following options in the csf configuration to suite your server: TCP_*, UDP_*
2. Restart csf and lfd
3. Set TESTING to 0 once you're happy with the firewall, lfd will not run until you do so
Adding current SSH session IP address to the csf whitelist in csf.allow:
Adding 58.42.10.23 to csf.allow only while in TESTING mode (not iptables ACCEPT)
*WARNING* TESTING mode is enabled - do not forget to disable it in the configuration
Installation Completed
Now we will check if CSF is really working on this server. We will do a test to verify.
cd /usr/local/csf/bin/
perl csftest.pl
If you see the result as shown below then CSF should function without any problems on your server.
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK
RESULT: csf should function on this server
Configuring CSF
CentOS7 has a built in firewall called firewalld. We need to stop and disable it before activating CSF.
systemctl stop firewalld
systemctl disable firewalld
Then we shall go to the CSF configuration file and edit to change testing to production phase. Go to "/etc/csf/" and edit the file "csf.conf".
cd /etc/csf/
nano csf.conf
Change TESTING to 0.
TESTING = "0"
Save and exit the file.
You can now run CSF and LFD by the below commands.
systemctl start csf
systemctl start lfd
Then enable CSF and LFD to be started at boot.
systemctl enable csf
systemctl enable lfd
Basics of CSF
To see list of rules.
csl -l
To restart CSF.
csf -r
Allowing an ip in csf.allow.
csf -a 50.25.25.10
Will output the following response from CSF:
Adding 50.25.25.10 to csf.allow and iptables ACCEPT...
ACCEPT all opt -- in !lo out * 50.25.25.10 -> 0.0.0.0/0
ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 50.25.25.10
You have new mail in /var/spool/mail/root
Removing an ip from csf.allow.
csf -ar 50.25.25.10
Will result in:
Removing rule...
ACCEPT all opt -- in !lo out * 50.25.25.10 -> 0.0.0.0/0
ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 50.25.25.10
Denying an ip and adding it to csf.deny.
csf -d 50.31.1.52
Will result in:
Adding 50.31.1.52 to csf.deny and iptables DROP...
DROP all opt -- in !lo out * 50.31.1.52 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 50.31.1.52
You have new mail in /var/spool/mail/root
Removing an ip from csf.deny.
csf -dr 50.31.1.52
Results in:
Removing rule...
DROP all opt -- in !lo out * 50.31.1.52 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 50.31.1.52
Remove all entries in csf.deny.
csf -df
Will output:
csf: all entries removed from csf.deny
Advanced CSF Setup
Let us go back to CSF configuration file.
cd /etc/csf/
nano csf.conf
Blocking or allowing only certain countries from connecting to your server by entering the country code in CC_DENY or CC_ALLOW.
CC_DENY = "BZ,CN,US"
CC_ALLOW = "ID,PH,FR"
Limit the number of IP's kept in the /etc/csf/csf.deny file.
DENY_IP_LIMIT = "50"
Enable SYN Flood Protection. This option configures iptables to offer some protection from tcp SYN packet DOS attempts.
SYNFLOOD = "1"
SYNFLOOD_RATE = "100/s"
SYNFLOOD_BURST = "150"
Port Flood Protection. This option configures iptables to offer protection from DOS attacks against specific ports.
PORTFLOOD = 22;tcp;5;300,80;tcp;20;1
Means: 5 connections per IP-address per 300 seconds to the ssh server; and 20 connections per IP-address per second to the httpd server
This option allows access from the following countries to specific ports listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP.
CC_ALLOW_PORTS = "QA, PH, SA, KG"
CC_ALLOW_PORTS_TCP = "21,22"
This option denies access from the following countries to specific ports listed in CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP
CC_DENY_PORTS = "CN"
CC_DENY_PORTS_TCP = "22, 327"
Don't Block IP addresses that are in the csf.allow files.
IGNORE_ALLOW = "1"
Allow Incoming and Outgoing ICMP.
ICMP_IN = "1"
ICMP_OUT = "1"
Send the Su and SSH Login log by Email.
LF_SSH_EMAIL_ALERT = "1"
LF_SU_EMAIL_ALERT = "1"
LF_ALERT_TO = "mymail@mydomain.tld"
CSF is a feature rich firewall application, if configured right it will do excellent to protect your server, make sure you understand most of the setup and you'll be fine and protected.
[1]: https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
[2]: https://www.bitvise.com/ssh-client-download
Related Tutorials
Setup and Configuration of OpenVPN Server on CentOS 7.2Installing LAMP (Linux Apache MySQL and PHP) Stack on CentOS 7 64bit
Setup a Master-to-Master Replication Between Two MariaDB Servers
Install Node.js on CentOS 7
How to Install OpenLiteSpeed with PHP 7.3 and MariaDB 10.4 on CentOS 7
comments (1)
38116
- 6 years agoHi,
I just wanted to "CC_DENY_PORTS_TCP = "22, 327""
what is meaning of DENY TCP Port 327 ? how this will help?