How to Install CSF On Centos 7.6

Installation Of CSF On Centos 7.6

Process

Installation of CFS dependencies

root@linuxhelp ~]# yum install perl-libwww-perl.noarch perl-Time-HiRes
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: mirrors.piconets.webwerks.in
 * epel: mirrors.bangmodhosting.com
 * extras: mirrors.nhanhoa.com
 * remi-php71: ftp.arnes.si
 * remi-safe: ftp.arnes.si
 * updates: mirrors.piconets.webwerks.in
Package 4:perl-Time-HiRes-1.9725-3.el7.x86_64 already installed and latest version
Resolving Dependencies
--> Running transaction check
---> Package perl-libwww-perl.noarch 0:6.05-2.el7 will be installed
--> Processing Dependency: perl(WWW::RobotRules) >= 6 for package: perl-libwww-perl-6.05-2.el7.noarch
.
.
.
  perl-HTTP-Date.noarch 0:6.02-8.el7           perl-HTTP-Message.noarch 0:6.06-6.el7                   
  perl-HTTP-Negotiate.noarch 0:6.01-5.el7      perl-IO-HTML.noarch 0:1.00-2.el7                        
  perl-IO-Socket-IP.noarch 0:0.21-5.el7        perl-IO-Socket-SSL.noarch 0:1.94-7.el7                  
  perl-LWP-MediaTypes.noarch 0:6.02-2.el7      perl-Mozilla-CA.noarch 0:20130114-5.el7                 
  perl-Net-HTTP.noarch 0:6.06-2.el7            perl-Net-LibIDN.x86_64 0:0.12-15.el7                    
  perl-Net-SSLeay.x86_64 0:1.55-6.el7          perl-TimeDate.noarch 1:2.30-2.el7                       
  perl-URI.noarch 0:1.60-9.el7                 perl-WWW-RobotRules.noarch 0:6.02-5.el7                 

Complete!

Install CSF

Enter into the directory

[root@linuxhelp ~]# cd /usr/src

Download the csf installation package using wget command

[root@linuxhelp src]# wget https://download.configserver.com/csf.tgz
--2019-11-22 05:39:39--  https://download.configserver.com/csf.tgz
Resolving download.configserver.com (download.configserver.com)... 85.10.199.177
Connecting to download.configserver.com (download.configserver.com)|85.10.199.177|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2048949 (2.0M) [application/x-gzip]
Saving to: ‘csf.tgz’

100%[=============================================================>] 2,048,949   91.4KB/s   in 32s    

2019-11-22 05:40:14 (62.9 KB/s) - ‘csf.tgz’ saved [2048949/2048949]

Extract the downloaded package

[root@linuxhelp src]# tar -xvf csf.tgz
csf/
csf/csf.deny
csf/reselleralert.txt
csf/csf.directadmin.pignore
csf/csf.service
csf/permblock.txt
csf/csf.1.txt
csf/ui/images/bootstrap/css/
.
.
csf/interworx/images/LICENSE.txt
csf/interworx/images/csf-loader.gif
csf/csf.syslogusers
csf/csftest.pl
csf/uninstall.generic.sh
csf/csf.cyberpanel.pignore
csf/install.directadmin.sh

Enter into csf directory

[root@linuxhelp src]# cd csf/

[root@linuxhelp csf]# ls -la

Install the csf using the shell script

[root@linuxhelp csf]# sh install.sh

Selecting installer...

Running csf generic installer

Installing generic csf and lfd

Check we're running as root

mkdir: created directory ‘/etc/csf’
‘install.txt’ -> ‘/etc/csf/install.txt’
Checking Perl modules...
Using configuration defaults


 ‘csf/csf.svg’ -> ‘webmin/csf/images/csf.svg’
‘csf/jquery.min.js’ -> ‘webmin/csf/images/jquery.min.js’
‘csf/LICENSE.txt’ -> ‘webmin/csf/images/LICENSE.txt’
‘csf/loader.gif’ -> ‘webmin/csf/images/loader.gif’
‘csf/reseller_icon.svg’ -> ‘webmin/csf/images/reseller_icon.svg’
‘/etc/csf/csfwebmin.tgz’ -> ‘/usr/local/csf/csfwebmin.tgz’

Installation Completed

Now you should check that CSG really works on this server

[root@linuxhelp csf]# cd /usr/local/csf/bin

Run the following command to check the csf is working

[root@linuxhelp bin]# perl csftest.pl
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
.
.
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

RESULT: csf should function on this server

Configure CSF Enter into the following location and edit

[root@linuxhelp ~]# vim /etc/csf/csf.conf
#lfd will not start while this is enabled
TESTING = "0"
Start the csf and lfd service
 [root@linuxhelp ~]# systemctl start csf lfd
Enable the csf and lfd service
 [root@linuxhelp ~]# systemctl enable csf lfd
Start the csf by using following command 
 [root@linuxhelp ~]# csf -s
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
Flushing chain `DENYIN'
Flushing chain `DENYOUT'
Flushing chain `INVALID'
Flushing chain `INVDROP'
Flushing chain `LOCALINPUT'
.
.
.
ACCEPT  all opt    in * out lo  ::/0  -> ::/0  
LOGDROPOUT  all opt    in * out !lo  ::/0  -> ::/0  
LOGDROPIN  all opt    in !lo out *  ::/0  -> ::/0  
csf: FASTSTART loading DNS (IPv4)
csf: FASTSTART loading DNS (IPv6)
LOCALOUTPUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  
LOCALINPUT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  
LOCALOUTPUT  all opt    in * out !lo  ::/0  -> ::/0  
LOCALINPUT  all opt    in !lo out *  ::/0  -> ::/0  

*WARNING* RESTRICT_SYSLOG is disabled. See SECURITY WARNING in /etc/csf/csf.conf.

Allow the ip by using the following command

[root@linuxhelp ~]# csf -a 192.168.7.227
Adding 192.168.7.227 to csf.allow and iptables ACCEPT...
ACCEPT  all opt -- in !lo out *  192.168.7.227  -> 0.0.0.0/0  
ACCEPT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.7.227

The location store the allow ip list

[root@linuxhelp ~]# vim /etc/csf/csf.allow

192.168.7.227 # Manually allowed: 192.168.7.227 (-) - Fri Nov 22 08:31:24 2019

To remove the allow ip from the list

[root@linuxhelp ~]# csf -ar 192.168.7.227
Removing rule...
ACCEPT  all opt -- in !lo out *  192.168.7.227  -> 0.0.0.0/0  
ACCEPT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.7.227

Deny ip by using the following command

[root@linuxhelp ~]# csf -d 192.168.7.227
Adding 192.168.7.227 to csf.deny and iptables DROP...
DROP  all opt -- in !lo out *  192.168.7.227  -> 0.0.0.0/0  
LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.7.227

Using the following command you can reload the csf

[root@linuxhelp ~]# csf -r
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
.
.
LOCALOUTPUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  
LOCALINPUT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  
LOCALOUTPUT  all opt    in * out !lo  ::/0  -> ::/0  
LOCALINPUT  all opt    in !lo out *  ::/0  -> ::/0  

*WARNING* RESTRICT_SYSLOG is disabled. See SECURITY WARNING in /etc/csf/csf.conf.

The location store the deny ip list

[root@linuxhelp ~]# vim /etc/csf/csf.deny
192.168.7.227 # Manually denied: 192.168.7.227 (-) - Fri Nov 22 08:32:24 2019

To remove the deny ip from the list

[root@linuxhelp ~]# csf -dr 192.168.7.227
Removing rule...
DROP  all opt -- in !lo out *  192.168.7.227  -> 0.0.0.0/0  
LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.7.227

This is the method to install csf on centos 7.6 and the tutorial comes to an end here.

Tag : CSF (ConfigServer Security & Firewall) CentOS
FAQ
Q
Where to find csf logs in command line?
A
You can find it under the following path "/var/log/lfd.log"
Q
What is the Command to disable csf?
A
You can disable the CSF using the below mentioned command "csf -X"
Q
What is the daemon process for csf?
A
lfd is the daemon process for csf. LFD looks for such attacks as brute-force login attempts and if found blocks the IP address attempting to attack that server.
Q
How to make lfd not to monitor certain process?
A
you can add those process in csf.pignore file so that it will ignore the process.
Q
What is the Config Server Firewall?
A
Config Server Firewall is abbreviated as CSF. CSF is the most commonly using firewall application to secure Linux servers. CSF has a wide range of options to manage Linux firewall via command-line and from the control panel.