How to install ConfigServer Security & Firewall (CSF) in RHEL,CentOS & Fedora

To install ConfigServer Security & Firewall (CSF)

Firewalls is very useful and much powerful way to add security to servers. It protects your server from Malware, DDOS, Brute force, DOS, backdoors, rootkits and local exploits on your server. In this article we will discuss how to configure ConfigServer CSF firewall in Red Hat, CentOS and Fedora. CSF (ConfigServer Security & Firewall) is advanced firewall and security application. It is an open source application.

To install required CSF Modules

CSF script requires perl modules.

[root@linuxhelp ~]# yum install perl-libwww-perl
Loaded plugins: auto-update-debuginfo, fastestmirror, protectbase, refresh-
: packagekit, security
Setting up Install Process
Loading mirror speeds from cached hostfile
* base: centos.excellmedia.net
* epel: epel.mirror.net.in
* epel-debuginfo: epel.mirror.net.in
...
...
...
Installed:
perl-libwww-perl.noarch 0:5.833-2.el6

Complete!

To download CSF

Use /tmp directory while downloading or installing any new software. Wget command is used to download the CSF script.

[root@linuxhelp ~]# cd /tmp/
[root@linuxhelp tmp]# wget http://www.configserver.com/free/csf.tgz
--2016-03-17 09:59:46-- http://www.configserver.com/free/csf.tgz
Resolving www.configserver.com... 109.70.137.78, 2a01:c0:2:22::3
Connecting to www.configserver.com|109.70.137.78|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
...
...
...

100%[======================================> ] 688,544 364K/s in 1.8s

2016-03-17 09:59:49 (364 KB/s) - “ csf.tgz”  saved [688544/688544]

To remove existing Firewall

The combination APF (Advanced Policy Firewall) +BFD(Brute Force Detection) must be removed in order to avoid the conflicts. Run the following command to remove the existing Firewall.

[root@linuxhelp tmp]# sh /tmp/csf/remove_apf_bfd.sh
sh: /tmp/csf/remove_apf_bfd.sh: No such file or directory

I have not installed APF & BFD in before that' s why it say' s no such file or directory

To install CSF

Tar command is used to change to newly created CSF directory. To install run the installer script.

[root@linuxhelp ~]# cd /tmp/
[root@linuxhelp tmp]# tar -xzf csf.tgz
[root@linuxhelp tmp]# cd csf
[root@linuxhelp csf]# sh install.sh
Selecting installer...

Running csf generic installer

Installing generic csf and lfd

Check we' re running as root
...
...
...
mode of `/etc/init.d/lfd'  retained as 0755 (rwxr-xr-x)
mode of `/etc/init.d/csf'  retained as 0755 (rwxr-xr-x)
`/etc/csf/csfwebmin.tgz'  ->  `/usr/local/csf/csfwebmin.tgz' 

Installation Completed

To configure CSF

The commands above will install and starts CSF in testing mode. To disable Testing mode configure your CSF for TCP_IN, TCP_OUT, UDP_IN and UDP_OUT options. Make the following changes /etc/csf/csf.conf in the file.

# Allow incoming TCP ports
TCP_IN = " 20,21,22,25,53,80,110,143,443,465,587,993,995" 

# Allow outgoing TCP ports
TCP_OUT = " 20,21,22,25,53,80,110,113,443" 

# Allow incoming UDP ports
UDP_IN = " 20,21,53" 

# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = " 20,21,53,113,123"

Disable Testing mode by changing variable TESTING = 1 to TESTING = 0 TESTING = " 0"

To start CSF

Enable csf to start at reboot time.

[root@linuxhelp csf]# chkconfig --level 60 csf on
[root@linuxhelp csf]# csf -r
Flushing chain `INPUT' 
Flushing chain `FORWARD' 
Flushing chain `OUTPUT' 
...
...
...
LOCALINPUT all opt -- in !lo out * 0.0.0.0/0 ->  0.0.0.0/0
LOCALOUTPUT all opt in * out !lo ::/0 ->  ::/0
LOCALINPUT all opt in !lo out * ::/0 ->  ::/0

CSF Configuration Usage and Options

csf.conf : The main configuration file for controlling CSF.
csf.deny : The list of denied IPs and CIDR addresses on the firewall.
csf.allow : The list of allowed IPs and CIDR addresses on the firewall.
csf.*ignore : The list of various ignore files of users, IPs.
csf.ignore : The list of ignored IP?s and CIDR addresses on the firewall.

Commands and Options of CSF

Option -r is used to reload all rules.
Option -d is used to deny an IP address
Option -a is used to allow an IP address

# csf -d IPADDRESS
# csf -a IPADDRESS
# csf -r

To deny host

Example

[root@linuxhelp csf]# csf -d 192.168.7.101
Adding 192.168.7.101 to csf.deny and iptables DROP...
DROP all opt -- in !lo out * 192.168.7.101 ->  0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 ->  192.168.7.101

[root@linuxhelp csf]# csf -r
Flushing chain `INPUT' 
Flushing chain `FORWARD' 
...
...
....
LOCALOUTPUT all opt in * out !lo ::/0 ->  ::/0
LOCALINPUT all opt in !lo out * ::/0 ->  ::/0

To list the rules

[root@linuxhelp csf]# csf -l
Chain INPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source des
.....
.....
.....
Chain DENYIN (1 references)
num pkts bytes target prot opt in out source destination

1 1 165 DROP all -- !lo * 192.168.7.101 0.0.0.0/0

...
...
...

To verify the output

[root@linuxhelp csf]# ping 192.168.7.101
PING 192.168.7.101 (192.168.7.101) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted

To add allow list

[root@linuxhelp csf]# csf -a 192.168.7.101
Removing 192.168.7.101 from csf.deny...
Removing rule...
DROP all opt -- in !lo out * 192.168.7.101 ->  0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 ->  192.168.7.101
Adding 192.168.7.101 to csf.allow and iptables ACCEPT...
ACCEPT all opt -- in !lo out * 192.168.7.101 ->  0.0.0.0/0
ACCEPT all opt -- in * out !lo 0.0.0.0/0 ->  192.168.7.101

[root@linuxhelp csf]# csf -r
Flushing chain `INPUT' 
Flushing chain `FORWARD' 
...
...
...

To list the rules

[root@linuxhelp csf]# csf -l
Chain INPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT tcp -- !lo * 8.8.8.8 0.0.0.0/0 tcp dpt:53

Chain ALLOWOUT (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * !lo 0.0.0.0/0 192.168.7.101

.....

To verify output

[root@linuxhelp csf]# ping 192.168.7.101
PING 192.168.7.101 (192.168.7.101) 56(84) bytes of data.
64 bytes from 192.168.7.101: icmp_seq=1 ttl=128 time=1.40 ms
64 bytes from 192.168.7.101: icmp_seq=2 ttl=128 time=0.377 ms
64 bytes from 192.168.7.101: icmp_seq=3 ttl=128 time=0.321 ms
64 bytes from 192.168.7.101: icmp_seq=4 ttl=128 time=0.241 ms
64 bytes from 192.168.7.101: icmp_seq=5 ttl=128 time=0.341 ms
............

To get the list of all options

Type CSF to get the list of all options

[root@linuxhelp csf]# csf
csf: v8.16 (generic)
csf(1)
...
...
...
NAME
csf - ConfigServer &  Security Firewall

SYNOPSIS
csf [OPTIONS]
.....

To remove CSF Firewall

Run the following script located under /etc/csf/uninstall.sh directory to remove CSF Firewall.

[root@linuxhelp csf]# /etc/csf/uninstall.sh
Uninstalling csf and lfd...

Flushing chain `INPUT' 
Flushing chain `FORWARD' 
Flushing chain `OUTPUT' 
...
...
...
removed directory: `/var/lib/csf/ui' 
removed directory: `/var/lib/csf' 

...Done

This command will erase CSF firewall completely with all the files and folders.

Tag : CSF (ConfigServer Security & Firewall)
FAQ
Q
How to make lfd not to monitor certain process?
A
you can add those process in csf.pignore file so that it will ignore the process.
Q
What is the daemon process for csf?
A
lfd is the daemon process for csf. LFD looks for such attacks as brute-force login attempts and if found blocks the IP address attempting to attack that server.
Q
Where to find csf logs in command line?
A
You can find it under the following path "/var/log/lfd.log"
Q
what is the Command to disable csf?
A
You can disable the CSF using the below mentioned command "csf -X"
Q
Where can i find the location of allow ports?
A
You can find the location of allowing ports Under TCP_IN, TCP_OUT, UDP_IN and UDP_OUT