Install CSF/LDF Firewall in Linux Server
From the server administrator point of view what you will think about server security when you setup new server for production?. Everybody thinks about FIREWALL. Lot of opensource FREE software firewalls are available and we need to install and configure according to that. In this article we are going to explain about ConfigServer Security & Firewall (CSF) installation and configuration in linux. This standard installation common for all the linux distribution.
What is CSF ?
ConfigServer Security & Firewall (CSF) is an opensource software firewall which is suitable for linux box. It is working based on iptables. CSF developed their own Straight-forward SPI iptables firewall script by Way to the Web Limited. CSF supports Daemon process checks, login authentication failures & packet filtering.
CSF Hilights
- Straight-forward SPI iptables firewall script
- Daemon process checking
- login authentication failures check (ssh, mail server, ftp & cpanel)
- SSH & SU login notification
- Alert for spam mail scripts
- Suspicious process reporting
- Excessive user processes reporting
- Suspicious file reporting
- BOGON packet protection
- Port Scan tracking and blocking
- Permanent and Temporary IP blocking
- IPv6 Support with ip6tables
- Permanent and Temporary IP allow
- SYN Flood protection
- IDS (Intrusion Detection System)
- For more details
1) Pre required package installation
You need to install perl modules on your system to install CSF without any error.
# Ubuntu based distribution # [email protected]:~# apt-get install liblist-compare-perl # CentOS based distribution # [email protected]:~# yum install perl-libwww-perl
2) CSF Downloading & CSF Installation
Installation is quite straightforward, use the below steps to install it. It will create a directory under /etc/csf and install there itself.
[email protected]:~# cd /opt [email protected]:/opt# wget http://www.configserver.com/free/csf.tgz --2014-10-11 11:12:26-- http://www.configserver.com/free/csf.tgz Resolving www.configserver.com (www.configserver.com)... 85.13.195.235 Connecting to www.configserver.com (www.configserver.com)|85.13.195.235|:80... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: http://download.configserver.com/csf.tgz [following] --2014-10-11 11:12:27-- http://download.configserver.com/csf.tgz Resolving download.configserver.com (download.configserver.com)... 85.10.199.177 Connecting to download.configserver.com (download.configserver.com)|85.10.199.177|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 629902 (615K) [application/x-gzip] Saving to: ‘csf.tgz’ 100%[=====================================================================================================>] 6,29,902 --.-K/s in 0.1s 2014-10-11 11:12:28 (5.92 MB/s) - ‘csf.tgz’ saved [629902/629902] [email protected]:/opt# tar -zxvf csf.tgz [email protected]:/opt# cd csf [email protected]:/opt/csf# ./install.sh
After installing csf you can remove csf.taz file and csf directory from /opt directory
[email protected]:/opt# rm -Rf csf [email protected]:/opt# rm -Rf csf.tgz
3) Testing iptables modules
Check whether you have the required iptables modules or not
[email protected]:/opt/csf# perl /usr/local/csf/bin/csftest.pl
4) Removing Existing Firewall
You should not run any other iptables firewall configuration script. For example, if you previously installed APF+BFD you need to remove it otherwise, will get conflict. Run the below command to remove it.
[email protected]:/opt/csf# sh /usr/local/csf/bin/remove_apf_bfd.sh
5) Configuring CSF
After installing CSF you need to configure it properly so that you can access everything or else noting will work on your server. The main configuration is adding PORTS to csf.conf file which is required. Like, TCP_IN, TCP_OUT, UDP_IN and UDP_OUT. The below common ports are enabled in CSF by defalut and if you want to add/open anyother port’s you can add it.
[email protected]:/etc/csf# nano csf.conf GNU nano 2.2.6 File: csf.conf ############################################################################### # SECTION:IPv4 Port Settings ############################################################################### # Lists of ports in the following comma separated lists can be added using a # colon (e.g. 30000:35000). # Allow incoming TCP ports TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995" # Allow outgoing TCP ports TCP_OUT = "20,21,22,25,37,43,53,80,110,113,443" # Allow incoming UDP ports UDP_IN = "20,21,53" # Allow outgoing UDP ports # To allow outgoing traceroute add 33434:33523 to this list UDP_OUT = "20,21,53,113,123"
6) Enable CSF for Production
By default CSF in Testing=1 Testing mode and you need to enable for production by adding 0 instead of 1 on /etc/csf/csf.conf file.
[email protected]:/etc/csf# nano csf.conf GNU nano 2.2.6 File: csf.conf # lfd will not start when this is enabled TESTING = "0"
7) Starting CSF
After making all the changes. Restart CSF service and CSF functionality.
# Restart CSF service # [email protected]:/etc/csf# service csf restart # Restart CSF Functionility # [email protected]:/etc/csf# csf -r
8) Adding Custom iptables Rules with CSF
CSF allow us to run external commands before/after csf configures iptables. Create below two files and give executable permission and add your custom iptables rules.
# before csf configures iptables # [email protected]:/etc/csf# touch /usr/local/csf/bin/csfpre.sh or [email protected]:/etc/csf# touch csfpre.sh [email protected]:/etc/csf# chmod +x csfpre.sh # after csf configures iptables # [email protected]:/etc/csf# touch /usr/local/csf/bin/csfpost.sh or [email protected]:/etc/csf# touch csfpost.sh [email protected]:/etc/csf# chmod +x csfpost.sh
9) Remove CSF Firewall
If you want to remove CSF, simply run below command.
[email protected]:/etc/csf# /etc/csf/uninstall.sh
- Some Usefull CSF articles which was wrote by 2daygeek
- CSF Detailed explanation