Install CSF/LDF Firewall in Linux Server

From the server administrator point of view what you will think about server security when you setup new server for production?. Everybody thinks about FIREWALL. Lot of opensource FREE software firewalls are available and we need to install and configure according to that. In this article we are going to explain about ConfigServer Security & Firewall (CSF) installation and configuration in linux. This standard installation common for all the linux distribution.

What is CSF ?

ConfigServer Security & Firewall (CSF) is an opensource software firewall which is suitable for linux box. It is working based on iptables. CSF developed their own Straight-forward SPI iptables firewall script by Way to the Web Limited. CSF supports Daemon process checks, login authentication failures & packet filtering.

CSF Hilights

  • Straight-forward SPI iptables firewall script
  • Daemon process checking
  • login authentication failures check (ssh, mail server, ftp & cpanel)
  • SSH & SU login notification
  • Alert for spam mail scripts
  • Suspicious process reporting
  • Excessive user processes reporting
  • Suspicious file reporting
  • BOGON packet protection
  • Port Scan tracking and blocking
  • Permanent and Temporary IP blocking
  • IPv6 Support with ip6tables
  • Permanent and Temporary IP allow
  • SYN Flood protection
  • IDS (Intrusion Detection System)
  • For more details

1) Pre required package installation

You need to install perl modules on your system to install CSF without any error.

# Ubuntu based distribution #
[email protected]:~# apt-get install liblist-compare-perl

# CentOS based distribution #
[email protected]:~# yum install perl-libwww-perl

2) CSF Downloading & CSF Installation

Installation is quite straightforward, use the below steps to install it. It will create a directory under /etc/csf and install there itself.

[email protected]:~# cd /opt
[email protected]:/opt# wget http://www.configserver.com/free/csf.tgz
--2014-10-11 11:12:26--  http://www.configserver.com/free/csf.tgz
Resolving www.configserver.com (www.configserver.com)... 85.13.195.235
Connecting to www.configserver.com (www.configserver.com)|85.13.195.235|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://download.configserver.com/csf.tgz [following]
--2014-10-11 11:12:27--  http://download.configserver.com/csf.tgz
Resolving download.configserver.com (download.configserver.com)... 85.10.199.177
Connecting to download.configserver.com (download.configserver.com)|85.10.199.177|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 629902 (615K) [application/x-gzip]
Saving to: ‘csf.tgz’

100%[=====================================================================================================>] 6,29,902    --.-K/s   in 0.1s    

2014-10-11 11:12:28 (5.92 MB/s) - ‘csf.tgz’ saved [629902/629902]

[email protected]:/opt# tar -zxvf csf.tgz
[email protected]:/opt# cd csf
[email protected]:/opt/csf# ./install.sh

After installing csf you can remove csf.taz file and csf directory from /opt directory

[email protected]:/opt# rm -Rf csf
[email protected]:/opt# rm -Rf csf.tgz

3) Testing iptables modules

Check whether you have the required iptables modules or not

[email protected]:/opt/csf# perl /usr/local/csf/bin/csftest.pl

4) Removing Existing Firewall

You should not run any other iptables firewall configuration script. For example, if you previously installed APF+BFD you need to remove it otherwise, will get conflict. Run the below command to remove it.

[email protected]:/opt/csf# sh /usr/local/csf/bin/remove_apf_bfd.sh

5) Configuring CSF

After installing CSF you need to configure it properly so that you can access everything or else noting will work on your server. The main configuration is adding PORTS to csf.conf file which is required. Like, TCP_IN, TCP_OUT, UDP_IN and UDP_OUT. The below common ports are enabled in CSF by defalut and if you want to add/open anyother port’s you can add it.

[email protected]:/etc/csf# nano csf.conf

GNU nano 2.2.6                                   File: csf.conf

###############################################################################
# SECTION:IPv4 Port Settings
###############################################################################
# Lists of ports in the following comma separated lists can be added using a
# colon (e.g. 30000:35000).

# Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"

# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,37,43,53,80,110,113,443"

# Allow incoming UDP ports
UDP_IN = "20,21,53"

# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = "20,21,53,113,123"

6) Enable CSF for Production

By default CSF in Testing=1 Testing mode and you need to enable for production by adding 0 instead of 1 on /etc/csf/csf.conf file.

[email protected]:/etc/csf# nano csf.conf

GNU nano 2.2.6                                   File: csf.conf

# lfd will not start when this is enabled
TESTING = "0"

7) Starting CSF

After making all the changes. Restart CSF service and CSF functionality.

# Restart CSF service #
[email protected]:/etc/csf# service csf restart

# Restart CSF Functionility #
[email protected]:/etc/csf# csf -r

8) Adding Custom iptables Rules with CSF

CSF allow us to run external commands before/after csf configures iptables. Create below two files and give executable permission and add your custom iptables rules.

# before csf configures iptables #
[email protected]:/etc/csf# touch /usr/local/csf/bin/csfpre.sh
or
[email protected]:/etc/csf# touch csfpre.sh
[email protected]:/etc/csf# chmod +x csfpre.sh

# after csf configures iptables #
[email protected]:/etc/csf# touch /usr/local/csf/bin/csfpost.sh
or
[email protected]:/etc/csf# touch csfpost.sh
[email protected]:/etc/csf# chmod +x csfpost.sh

9) Remove CSF Firewall

If you want to remove CSF, simply run below command.

[email protected]:/etc/csf# /etc/csf/uninstall.sh

Magesh Maruthamuthu

Love to play with all Linux distribution

You may also like...