How to install and configure CSF on CentOS 8.1
To Install and Configure CSF on CentOS 8.1
Introduction:
CSF is the Config Server Firewall, is a firewall configuration script designed to implement more reliable security for the server and user-friendly interface for managing firewall settings, and comes by a service called Login Failure Daemon, or LFD. This tutorial will cover the installation of CSF on CentOS 8.1.
Installation Process:
Install the CSF dependencies
[root@linuxhelp ~]# yum install perl-libwww-perl.noarch perl-Time-HiRes -y
CentOS Linux 8 - AppStream 114 kB/s | 6.2 MB 00:55
CentOS Linux 8 - BaseOS 98 kB/s | 2.3 MB 00:23
Last metadata expiration check: 0:00:03 ago on Wednesday 09 December 2020 11:24:40 AM IST.
Dependencies resolved.
Installing:
perl-Time-HiRes x86_64 1.9758-1.el8 appstream 61 k
perl-libwww-perl noarch 6.34-1.module_el8.3.0+416+dee7bcef appstream 212 k
37 k
perl-Digest-HMAC noarch 1.03-17.module_el8.3.0+416+dee7bcef appstream 20 k
perl-Digest-SHA x86_64 1:6.02-1.el8 appstream 66 k
(2/23): perl-Digest-HMAC-1.03-17.module_el8.3.0+416+dee7bcef.noarch.rpm 15 kB/s | 20 kB 00:01
kB 00:00
(7/23): perl-HTTP-Date-6.02-19.module_el8.3.0+416+dee7bcef.noarch.rpm 28 kB/s | 19 kB 00:00
(8/23): perl-HTML-Parser-3.72-15.module_el8.3.0+416+dee7bcef.x86_64.rpm 88 kB/s | 119 kB 00:01
(9/23): perl-HTTP-Cookies-6.04-2.module_el8.3.0+416+dee7bcef.noarch.rpm 48 kB/s | 39 kB 00:00
(10/23): perl-HTTP-Negotiate-6.01-19.module_el8.3.0+416+dee7bcef.noarch.rpm 44 kB/s | 22 kB 00:00
Running transaction
Preparing : 1/1
Installing : perl-Compress-Raw-Zlib-2.081-1.el8.x86_64 1/23
Installing : perl-LWP-MediaTypes-6.02-15.module_el8.3.0+416+dee7bcef.noarch 2/23
Installing : perl-Encode-Locale-1.05-10.module_el8.3.0+416+dee7bcef.noarch 3/23
Verifying : perl-Compress-Raw-Zlib-2.081-1.el8.x86_64 22/23
Verifying : perl-IO-Compress-2.081-1.el8.noarch 23/23
Installed products updated.
Installed:
perl-Compress-Raw-Bzip2-2.081-1.el8.x86_64
perl-Compress-Raw-Zlib-2.081-1.el8.x86_64
perl-Data-Dump-1.23-7.module_el8.3.0+416+dee7bcef.noarch
perl-TimeDate-1:2.30-15.module_el8.3.0+416+dee7bcef.noarch
perl-Try-Tiny-0.30-7.module_el8.3.0+416+dee7bcef.noarch
perl-WWW-RobotRules-6.02-18.module_el8.3.0+416+dee7bcef.noarch
perl-libwww-perl-6.34-1.module_el8.3.0+416+dee7bcef.noarch
Complete!
Change the directory to mnt to download the CSF
root@linuxhelp csf]# cd /mnt
use the below command to download the CSF.
root@linuxhelp mnt]# wget https://download.configserver.com/csf.tgz
--2020-12-09 09:04:44-- https://download.configserver.com/csf.tgz
Resolving download.configserver.com (download.configserver.com)... 85.10.199.177
Connecting to download.configserver.com (download.configserver.com)|85.10.199.177|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2048949 (2.0M) [application/x-gzip]
Saving to: ‘csf.tgz’
csf.tgz 100%[===========================================>] 1.95M 758KB/s in 2.6s
2020-12-09 09:04:47 (758 KB/s) - ‘csf.tgz’ saved [2048949/2048949]
Extract the downloaded CSF tar file first create a tp name directory
root@linuxhelp mnt]# tar –xvzf csf.tgz –C tp
csf/
csf/csf.deny
csf/reselleralert.txt
csf/csf.directadmin.pignore
csf/csf.service
csf/processtracking.txt
csf/downloadservers
csf/webminalert.txt
csf/filealert.txt
csf/lfd.service
csf/csf.logignore
csf/scriptalert.txt
csf/csf.suignore
csf/install.cpanel.sh
…
….
csf/uninstall.generic.sh
csf/csf.cyberpanel.pignore
csf/install.directadmin.sh
Move the extracted csf under the src directory
[root@linuxhelp mnt]# mv csf /usr/src/
Now change directory to the CSF.
[root@linuxhelp csf]# cd /usr/src/csf/
Long listing the current direcotry
ls -la
total 216
drwxr-xr-x. 3 root root 4096 Jun 17 20:25 .
drwxr-xr-x. 5 root root 4096 Dec 9 11:57 ..
-rw-r--r--. 1 root root 7168 Nov 21 2016 admin_icon.svg
…
…
drwxr-xr-x. 5 root root 4096 Sep 25 2016 bootstrap
-rw-r--r--. 1 root root 12162 Oct 10 2015 bootstrap-chosen.css
…
…
rw-r--r--. 1 root root 10058 Sep 5 2017 chosen.min.css
-rw-r--r--. 1 root root 29004 Sep 5 2017 chosen.min.js
-rw-r--r--. 1 root root 872 Oct 10 2015 chosen-sprite@2x.png
Run the install.sh file to install CSF.
[root@linuxhelp csf]# sh install.sh
Selecting installer...
Running csf generic installer
Installing generic csf and lfd
Check we're running as root
mkdir: created directory '/etc/csf'
'install.txt' -> '/etc/csf/install.txt'
Checking Perl modules...
Using configuration defaults
...Perl modules OK
mkdir: cannot create directory ‘/etc/csf’: File exists
mkdir: created directory '/var/lib/csf'
mkdir: created directory '/var/lib/csf/backup'
mkdir: created directory '/var/lib/csf/Geo'
mkdir: created directory '/var/lib/csf/ui'
…
…
…
ode of '/etc/csf/uninstall.sh' retained as 0700 (rwx------)
chmod: cannot access '/etc/csf/*.php': No such file or directory
failed to change mode of '/etc/csf/*.php' from 0700 (rwx------) to 0700 (rwx------)
chmod: cannot access '/etc/csf/*.py': No such file or directory
mode of '/etc/csf/webmin/csf/index.cgi' changed from 0600 (rw-------) to 0700 (rwx------)
TCP ports currently listening for incoming connections:
22,53,111,139,445
UDP ports currently listening for incoming connections:
53,67,111,137,138,5353,32985
Installation Completed
Edit the configuration file to start the lfd service
[root@linuxhelp csf]# vim /etc/csf/csf.conf
By default csf in testing mode, so we have to disable it Testing=”0” Start the csf lfd service
[root@linuxhelp csf]# systemctl start csf lfd
Enable the both service
[root@linuxhelp csf]# systemctl enable csf lfd
Use the below command to start the CSF
[root@linuxhelp csf]# csf -s
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `LOCALOUTPUT'
…
…
csf: FASTSTART loading UDP6_IN (IPv6)
csf: FASTSTART loading UDP_OUT (IPv4)
csf: FASTSTART loading UDP6_OUT (IPv6)
ACCEPT all opt -- in lo out * 0.0.0.0/0 -> 0.0.0.0/0
ACCEPT all opt -- in * out lo 0.0.0.0/0 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
LOGDROPIN all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
*WARNING* Missing or incorrect binary locations will break csf and lfd functionality
To allow any ip in CSF firelwall
[root@linuxhelp csf]# csf -a 192.168.7.104
Adding 192.168.7.104 to csf.allow and iptables ACCEPT...
ACCEPT all opt -- in !lo out * 192.168.7.104 -> 0.0.0.0/0
ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.7.104
This is the file where allowed Ip are stored
[root@linuxhelp csf]# vim /etc/csf/csf.allow
To deny any ip in CSF firewall
Adding 192.168.7.115 to csf.deny and iptables DROP...
DROP all opt -- in !lo out * 192.168.7.115 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.7.115
This is the file where dis allowed ip are stored.
[root@linuxhelp csf]# vim /etc/csf/csf.deny
To remove entry from the allow list use the following command
[root@linuxhelp csf]# csf -ar 192.168.7.104
Removing rule...
ACCEPT all opt -- in !lo out * 192.168.7.104 -> 0.0.0.0/0
ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.7.104
now to remove entries from the denied list use the following command
[root@linuxhelp csf]# csf -dr 192.168.7.115
Removing rule...
DROP all opt -- in !lo out * 192.168.7.115 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.7.115
With this the isntallation of CSF on CentOS 8.1 comes to end.
Q
Where to find csf logs in the command line?
A
You can find it under the following path "/var/log/lfd.log".
Q
What is the Command to disable csf?
A
You can disable the CSF using the below-mentioned command "csf -X"
Q
What is the daemon process for CSF?
A
lfd is the daemon process for csf. LFD looks for such attacks as brute-force login attempts and if found blocks the IP address attempting to attack that server.
Q
How to make lfd not to monitor a certain process?
A
you can add those processes in csf.pignore file so that it will ignore the process.
Q
What is the Config Server Firewall?
A
Config Server Firewall is abbreviated as CSF. CSF is the most commonly using firewall application to secure Linux servers. CSF has a wide range of options to manage Linux firewall via command-line and from the control panel.