It is the responsibility of the Linux administrator to keep the system secure and prevent any attacks.
To do so, there are hundreds of tweaks that a Linux administrator can make and CSF is one of them.
What is ConfigServer Security & Firewall (CSF)
ConfigServer Security & Firewall (CSF) is an iptables-based firewall that provides high-level security to the Linux system using iptables in the back-end.
A Stateful Packet Inspection (SPI) iptables firewall is straight-forward, easy and flexible to configure and secure with extra checks for Linux servers.
CSF comes with a service called Login Failure Daemon (LFD), which runs every X seconds and periodically scans the latest log file entries for login attempts and block those IPs, if it’s continually fail within a short period of time.
These efforts are often referred to as “Brute-force attacks”.
Csf supports major Linux operating systems such as Red Hat Enterprise Linux (RHEL), CentOS, Fedora, CloudLinux, Ubuntu, Debian, openSUSE and Slackware.
Also, it supports the following control panels such as cPanel, CentOS Web Panel (CWP), DirectAdmin, InterWorx and Webmin.
Optionally, you can enable web UI in a few simple steps if you needed.
CSF directory structure:
- /etc/csf/ – configuration files
- /var/lib/csf/ – temporary data files
- /usr/local/csf/bin/ – scripts
- /usr/local/csf/lib/ – perl modules and static data
- /usr/local/csf/tpl/ – email alert templates
How to Install ConfigServer Security & Firewall (CSF) on Linux
Installation is quite straightforward, follow the below procedure to install it.
How to Install Required Perl Modules on Linux for CSF
Most Perl modules must be installed by default when you install Perl on your system , but you will need to manually install the following Perl modules.
For RHEL/CentOS 6/7 systems, use the yum command to install the following Perl modules.
# yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch perl-GDGraph
For RHEL/CentOS 8 and Fedora systems, use the dnf command to install the following Perl modules.
# dnf install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch perl-GDGraph
# apt-get install libwww-perl liblwp-protocol-https-perl libgd-graph-perl
Download and install the latest CSF archive source code using the wget command from the following URL.
# cd /usr/src # wget https://download.configserver.com/csf.tgz # tar -xzf csf.tgz # cd csf # sh install.sh
When you have finished the installation, run the “csftest.pl” script to check if your system has the required iptable modules.
# perl /usr/local/csf/bin/csftest.pl Testing ip_tables/iptable_filter...OK Testing ipt_LOG...OK Testing ipt_multiport/xt_multiport...OK Testing ipt_REJECT...OK Testing ipt_state/xt_state...OK Testing ipt_limit/xt_limit...OK Testing ipt_recent...OK Testing xt_connlimit...OK Testing ipt_owner/xt_owner...OK Testing iptable_nat/ipt_REDIRECT...OK Testing iptable_nat/ipt_DNAT...OK RESULT: csf should function on this server
Make a note: You should not run any other iptables firewall configuration script. For example, if you previously used APF+BFD you can remove them by running the below script.
# sh /usr/local/csf/bin/remove_apf_bfd.sh
If you are using modern Linux distributions, disable the firewalld service using the systemctl command.
# systemctl stop firewalld # systemctl disable firewalld
Run the following command to enable the lfd daemon otherwise it will fail to start. To do so, you need to change the value “TESTING = 1” to “TESTING = 0” in the file “/etc/csf/csf.conf” using the sed command.
# sed 's/TESTING = "1"/TESTING = "0"/g' /etc/csf/csf.conf
Run the following command to restart the CSF firewall for changes to take effect. You can easily manage the CSF firewall using the csf command.
# csf -r or # csf --restart
By default this allows a set of incoming and outgoing ports with comma-separated in the file “/etc/csf/csf.conf” in “TCP_IN and TCP_OUT”. You can add/modify them according to your needs.
# vi /etc/csf/csf.conf # Allow incoming TCP ports TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995" # Allow outgoing TCP ports TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995"
How to Limit Incoming Connections by Source
This option configures iptables to prevent DDOS attacks against specific ports. This option works by limiting the number of new concurrent connections to the IP address that can be made to specific ports.
To make this work, add the entries in the “CONNLIMIT” parameter. The syntax is “port;limit”, you can add multiple ports separated by commas.
# vi /etc/csf/csf.conf CONNLIMIT = "22;5,80;20"
The above settings only allow up to 5 concurrent new connections to port 22 per IP address and 20 concurrent new connections to port 80 per IP address.
How to Execute/Run Custom iptables Rules with CSF
CSF offers “csfpre.sh” and “csfpost.sh” scripts that allows you to run external commands before and/or after csf sets up the iptables chains and rules.
The “csfpre.sh and csfpost.sh” files should be created under “/usr/local/csf/bin” directory, which needs an executable permission.
Finally, add your custom scripts to the file based on your needs.
List of Important CSF Configuration Files
Below are the important configuration files that control the most of the rules in the CSF. If you manually modify these files, you will need to restart csf and then lfd them to take effect.
- csf.conf – the main configuration file, it has helpful comments explaining what each option does
- csf.allow – a list of IP’s and CIDR addresses that should always be allowed through the firewall
- csf.deny – a list of IP’s and CIDR addresses that should never be allowed through the firewall
- csf.ignore – a list of IP’s and CIDR addresses that lfd should ignore and not not block if detected
- csf.*ignore – various ignore files that list files, users, IP’s that lfd should ignore. See each file for their specific purpose and tax
How to Uninstall csf and lfd on Linux
Run the following script to remove csf and lfd from your system.
# sh /etc/csf/uninstall.sh