[HowTo] Install and Configure CSF (Config Server Firewall) on CentOS 7
Posted: Mon Sep 10, 2018 2:38 pm
Installation of CFS dependencies
CSF is based on Perl, so you need to install Perl on our server first. You need wget to download the CSF installer and vim (or an editor of your choice) for editing the CSF configuration file. Install the packages with the yum command:
Install CSF
Please go to the "/usr/src/" directory and download CSF with wget command.
Extract the tar.gz file and go to the csf directory, then install it:
You should get the information that CSF installation is completed at the end.
Now you should check that CSG really works on this server. Go to the "/usr/local/csf/bin/" directory, and run "csftest.pl".
If you see the test results as shown below, then CSF is running without problems on your server:
RESULT: csf should function on this server
Configure CSF on CentOS 7
Before stepping into the CSF configuration process, the first thing you must know is that "CentOS 7" has a default firewall application called "firewalld". You have to stop firewalld and remove it from the startup.
Stop the firewalld:
Disable/Remove firewalld from the startup:
Then go to the CSF Configuration directory "/etc/csf/" and edit the file "csf.conf" with the vim editor:
Change line 11 "TESTING " to "0" for applying the firewall configuration.
By default CSF allows incoming and outgoing traffic for the SSH standard port 22, if you use a different SSH port then please add your port to the configuration in line 139 "TCP_IN".
Now start CSF and LFD with systemctl command:
And then enable the csf and lfd services to be started at boot time:
Now you can see the list default rules of CSF with command:
Basic CSF Commands
1. Start the firewall (enable the firewall rules):
2. Flush/Stop the firewall rules.
3. Reload the firewall rules.
4. Allow an IP and add it to csf.allow.
Results:
5. Remove and delete an IP from csf.allow.
Results:
6. Deny an IP and add to csf.deny:
Results:
7. Remove and delete an IP from csf.deny.
Results:
8. Remove and Unblock all entries from csf.deny.
Results:
9. Search for a pattern match on iptables e.g : IP, CIDR, Port Number
Advanced Configuration
Here are some tweaks about CSF, so you can configure as you need.
Back to the csf configuration directory, and edit the csf.conf configuration file:
1. Don't Block IP addresses that are in the csf.allow files.
By default lfd also will block an IP under csf.allow files, so if you want that an IP in csf.allow files never get blocked by lfd, then please go to the line 272 and change "IGNORE_ALLOW" to "1". This is useful when you have a static IP at home or in office and want to ensure that your IP never gets blocked by the firewall on your internet server.
2. Allow Incoming and Outgoing ICMP.
Go to the line 152 for incoming ping/ICMP:
And line 159 for outgoing ping ping/ICMP:
3. Block Certain Countrys
CSF provide an option to allow and deny access by country using the CIDR (Country Code). Go to line 836 and add the country codes that shall be allowed and denied:
4. Send the Su and SSH Login log by Email.
You can set an email address that is used by LFD to send an email about "SSH Login" events and users that run the "su" command, go to the line 1069 and change the value to "1".
And then define the email address you want to use in line 588.
If you want more tweaks, read the options in the "/etc/csf/csf.conf" configuration file.
CSF is based on Perl, so you need to install Perl on our server first. You need wget to download the CSF installer and vim (or an editor of your choice) for editing the CSF configuration file. Install the packages with the yum command:
Code: Select all
yum install wget vim perl-libwww-perl.noarch perl-Time-HiResPlease go to the "/usr/src/" directory and download CSF with wget command.
Code: Select all
cd /usr/src/
wget https://download.configserver.com/csf.tgzCode: Select all
tar -xzf csf.tgz
cd csf
sh install.shNow you should check that CSG really works on this server. Go to the "/usr/local/csf/bin/" directory, and run "csftest.pl".
Code: Select all
cd /usr/local/csf/bin/
perl csftest.plRESULT: csf should function on this server
Configure CSF on CentOS 7
Before stepping into the CSF configuration process, the first thing you must know is that "CentOS 7" has a default firewall application called "firewalld". You have to stop firewalld and remove it from the startup.
Stop the firewalld:
Code: Select all
systemctl stop firewalldCode: Select all
systemctl disable firewalldCode: Select all
cd /etc/csf/
vim csf.confCode: Select all
TESTING = "0"Now start CSF and LFD with systemctl command:
Code: Select all
systemctl start csf
systemctl start lfdCode: Select all
systemctl enable csf
systemctl enable lfdCode: Select all
csf -l1. Start the firewall (enable the firewall rules):
Code: Select all
csf -sCode: Select all
csf -fCode: Select all
csf -rCode: Select all
csf -a 192.168.1.109Code: Select all
Adding 192.168.1.109 to csf.allow and iptables ACCEPT...
ACCEPT all opt -- in !lo out * 192.168.1.109 -> 0.0.0.0/0
ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.1.109Code: Select all
csf -ar 192.168.1.109Code: Select all
Removing rule...
ACCEPT all opt -- in !lo out * 192.168.1.109 -> 0.0.0.0/0
ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.1.109Code: Select all
csf -d 192.168.1.109Code: Select all
Adding 192.168.1.109 to csf.deny and iptables DROP...
DROP all opt -- in !lo out * 192.168.1.109 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.1.109Code: Select all
csf -dr 192.168.1.109Code: Select all
Removing rule...
DROP all opt -- in !lo out * 192.168.1.109 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.1.109Code: Select all
csf -dfCode: Select all
DROP all opt -- in !lo out * 192.168.1.110 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.1.110
DROP all opt -- in !lo out * 192.168.1.111 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.1.111
csf: all entries removed from csf.denyCode: Select all
csf -g 192.168.1.110Here are some tweaks about CSF, so you can configure as you need.
Back to the csf configuration directory, and edit the csf.conf configuration file:
Code: Select all
cd /etc/csf/
vim csf.confBy default lfd also will block an IP under csf.allow files, so if you want that an IP in csf.allow files never get blocked by lfd, then please go to the line 272 and change "IGNORE_ALLOW" to "1". This is useful when you have a static IP at home or in office and want to ensure that your IP never gets blocked by the firewall on your internet server.
Code: Select all
IGNORE_ALLOW = "1"Go to the line 152 for incoming ping/ICMP:
Code: Select all
ICMP_IN = "1"Code: Select all
ICMP_OUT = "1"CSF provide an option to allow and deny access by country using the CIDR (Country Code). Go to line 836 and add the country codes that shall be allowed and denied:
Code: Select all
CC_DENY = "CN,UK,US"
CC_ALLOW = "ID,MY,DE"You can set an email address that is used by LFD to send an email about "SSH Login" events and users that run the "su" command, go to the line 1069 and change the value to "1".
Code: Select all
LF_SSH_EMAIL_ALERT = "1"
...
LF_SU_EMAIL_ALERT = "1"Code: Select all
LF_ALERT_TO = "[email protected]"