Install ConfigServer Security & Firewall (CSF) in RHEL,CentOS & Fedora
When it comes to servers security, only one thing comes to mind called Firewall, because firewalls are very useful and much powerful way to add security to servers. A properly configured firewall can protect your server from Malware, Brute force, DOS and DDOS, backdoors, rootkits and local exploits on your server.
One of the most popular and extremely highly reliable Firewall exists on the internet is called CSF (ConfigServer Security & Firewall). This can be easily integrated with Webmin control panel. but in this article we will only discuss on how to configure CSF firewall in Red Hat 6.3/6.2/6.1/6/5.8, CentOS 6.3/6.2/6.1/6/5.8 and Fedora 17,16,15,14,13,12. In our up-coming article we will provide you a way to integrate CSF with Webmin panel.
What is CSF?
CSF (ConfigServer Security & Firewall) is an open source stateful and much advanced firewall and security application for Linux servers with much more configuration options as compared to any other firewalls. To know more about features go to http://www.configserver.com/cp/csf.html.
Step 1: Installing Required CSF Modules
Install required Perl modules for CSF script, otherwise you will see an error like libwww not being installed.
# yum install perl-libwww-perl
Step 2: Downloading CSF
It’s very good idea to use /tmp directory when downloading or installing any new software’s. Use Wget command to download the CSF script.
# cd /tmp # wget http://www.configserver.com/free/csf.tgz
Step 3: Removing Existing Firewall
Remove if you are using any other iptables firewall scripts like APF (Advanced Policy Firewall) or BFD (Brute Force Detection), because you should not run both the firewall scripts on same server otherwise they will conflict with each other horribly. So, to prevent such conflicts you must remove both the combination APF+BFD by running un-install script provided by CSF module.
# sh /tmp/csf/remove_apf_bfd.sh
Step 4: Installing CSF
Once the download completes, extract the all the files using Tar command and change to newly created CSF directory. Then run the installer script to install it.
# cd /tmp # tar -xzf csf.tgz # cd csf # sh install.sh
Step 5: Configuring CSF
The above script will install and starts CSF in a “Testing” mode. Which means it doesn’t fully protect your server from anything. To disable “Testing” mode you need to configure your CSF for TCP_IN, TCP_OUT, UDP_IN and UDP_OUT options that best suits your requirements. Open the file called /etc/csf/csf.conf and make following changes.
# Allow incoming TCP ports TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995" # Allow outgoing TCP ports TCP_OUT = "20,21,22,25,53,80,110,113,443" # Allow incoming UDP ports UDP_IN = "20,21,53" # Allow outgoing UDP ports # To allow outgoing traceroute add 33434:33523 to this list UDP_OUT = "20,21,53,113,123"
Once you happy with your CSF configuration, you can disable “Testing” mode by changing variable TESTING = “1” to TESTING = “0”. But before changing it, I highly recommend you to read complete CSF readme file at http://configserver.com/free/csf/readme.txt.
TESTING = "0"
Step 6: Starting CSF
Now it’s ready to start the csf daemon and enable csf to start at reboot time.
# chkconfig --level 235 csf on # service csf restart
Step 7: CSF Configuration Options and Usage
These following options are used to modify and control csf configuration. All the configuration files of csf are located under /etc/csf directory. If you modify any of the following files you will need to restart the csf daemon to take changes.
- csf.conf : The main configuration file for controlling CSF.
- csf.allow : The list of allowed IP’s and CIDR addresses on the firewall.
- csf.deny : The list of denied IP’s and CIDR addresses on the firewall.
- csf.ignore : The list of ignored IP’s and CIDR addresses on the firewall.
- csf.*ignore : The list of various ignore files of users, IP’s.
Step 8: CSF Commands and Options
Some of the common command line options to add or deny IP addresses. option -d is used to deny an IP address, option -a is used to allow an IP address and option -r is used to reload all rules.
# csf -d IPADDRESS # csf -a IPADDRESS # csf -r
If in-case, you have forgotten csf commands, just type csf on the terminal you will get the list of all the options.
That’s it, finally you have managed to installed and configured your firewall successfully. If you’re facing any trouble while installing just post your queries using our comment section below, we will love to solve all your queries.
Step 9: Remove CSF Firewall
If you would like to remove CSF firewall completely, just run the following script located under /etc/csf/uninstall.sh directory.
The above command will erase CSF firewall completely with all the files and folders.