To Install And Configure CSF On RedHat 8.5

Introduction:

CSF Stands for ConfigServer Firewall. CSF is a firewall software designed to keep your server safe. It features an advanced web-based interface to manage firewall settings.CSF includes other security features, including login/intrusion/flood detections.

Installation Procedure:

Step 1: Check the installed version of OS by using the below command

[root@linuxhelp Downloads]# cat /etc/os-release 
NAME="Red Hat Enterprise Linux"
VERSION="8.5 (Ootpa)"
REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8"
REDHAT_BUGZILLA_PRODUCT_VERSION=8.5
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="8.5"

Step 2: Now install the CSF Dependency by using the below command

[root@linuxhelp Downloads]# yum install perl-libwww-perl.noarch perl-Time-HiRes
Updating Subscription Management repositories.
Unable to read consumer identity
Last metadata expiration check: 1:08:51 ago on Fri 08 Apr 2022 04:05:31 PM IST.
Dependencies resolved.

Is this ok [y/N]: y
Downloading Packages:
(1/23): perl-Data-Dump-1.23-7.module+el8.3.0+6498+9eecfe51.noarch.rpm                                        
(4/23): perl-Encode-Locale-1.05-10.module+el8.3.0+6498+9eecfe51.noarch.rpm                                  7.2 MB/s |  22 kB     00:00    Complete!

Step 3 Download the CSF package by using the below command

 [root@linuxhelp Downloads]# wget https://download.configserver.com/csf.tgz
--2022-04-08 17:16:40--  https://download.configserver.com/csf.tgz
Resolving download.configserver.com (download.configserver.com)... 94.130.90.175
Connecting to download.configserver.com (download.configserver.com)|94.130.90.175|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2283608 (2.2M) [application/x-gzip]
Saving to: ‘csf.tgz’

csf.tgz                            100%[================================================================>]   2.18M  1.26MB/s    in 1.7s    

2022-04-08 17:16:42 (1.26 MB/s) - ‘csf.tgz’ saved [2283608/2283608]

Step 4: List the download package by using the below command

[root@linuxhelp Downloads]# ls -la 
total 2236
drwxr-xr-x.  2 root root      21 Apr  8 17:16 .
dr-xr-x---. 15 root root    4096 Apr  8 16:28 ..
-rw-r--r--.  1 root root 2283608 Mar  3 16:33 csf.tgz

Step 5: Extract the download Package by using the below command

[root@linuxhelp Downloads]# tar -xvf csf.tgz
csf/
csf/ConfigServer/
csf/ConfigServer/AbuseIP.pm
csf/ConfigServer/CheckIP.pm
csf/ConfigServer/CloudFlare.pm
csf/version.txt
csf/watchalert.txt
csf/webminalert.txt
csf/x-arf.txt

Step 6: List the extract directory by using the below command

[root@linuxhelp Downloads]# ls -la
drwxr-xr-x.  3 root root      32 Apr  8 17:22 .
dr-xr-x---. 15 root root    4096 Apr  8 16:28 ..
drwxr-xr-x. 20 root root    8192 Mar  3 16:33 csf
-rw-r--r--.  1 root root 2283608 Mar  3 16:33 csf.tgz

Step 7: Change the directory CSF by using the below command

[root@linuxhelp Downloads]# cd csf/

Step 8: Now install the CSF using shell script by using the below command

[root@linuxhelp csf]# sh install.sh 

mkdir: cannot create directory ‘/usr/local/csf/bin’: File exists
mkdir: cannot create directory ‘/usr/local/csf/lib’: File exists
'/etc/csf/webmin' -> '/usr/local/csf/lib/webmin'
mkdir: cannot create directory ‘webmin/csf/images’: File exists
mkdir: cannot create directory ‘ui/images’: File exists
mkdir: cannot create directory ‘da/images’: File exists
mkdir: cannot create directory ‘interworx/images’: File exists
'csf/admin_icon.svg' -> 'webmin/csf/images/admin_icon.svg'
'csf/bootstrap/fonts/glyphicons-halflings-regular.eot' -> 'webmin/csf/
Installation Completed

Step 9: Disable the firewalld Services by using the below command

[root@linuxhelp csf]# systemctl Disable firewalld

Step 10: Stop the Firewalld Services by using the below command

[root@linuxhelp csf]# systemctl stop firewalld

Step 11: Change the Following directory by using the below command

[root@linuxhelp csf]# cd /usr/local/csf/bin  

Step 12: Run the command to check CSF working or not by using the below command

[root@linuxhelp bin]# perl csftest.pl  
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK
RESULT: csf should function on this server

Step 13: change Testing “1” to Testing “0” by using the below command

[root@linuxhelp bin]# vim /etc/csf/csf.conf
###############################################################################
#SECTION:Initial Settings
###############################################################################
#Testing flag - enables a CRON job that clears iptables incase of
#configuration problems when you start csf. This should be enabled until you
#lfd will not start while this is enabled
TESTING = "0"
#will be cleared in 0-5 minutes from the firewall start

Step 14: Enable the both CSF and IFD Services by using the below command

[root@linuxhelp bin]# systemctl enable csf lfd 

Step 15: Start the both CSF and IFD Services by using the below command

root@linuxhelp bin]# systemctl start csf lfd 

Step 16: Start the CSF by using the below command

[root@linuxhelp bin]# csf -s 
Flushing chain `INPUT'
Flushing chain `ALLOWOUT'
Flushing chain `LOCALINPUT'
Flushing chain `ALLOWOUT'
csf: FASTSTART loading DROP no logging (IPv4)
csf: FASTSTART loading DROP no logging (IPv6)
ALLOWIN  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  
*WARNING* RESTRICT_SYSLOG is disabled. See SECURITY WARNING in /etc/csf/csf.conf.

Step 17: Allow the IP using CSF by using the below command

[root@linuxhelp bin]# csf -a 192.168.6.110
Adding 192.168.6.110 to csf.allow and iptables ACCEPT...
ACCEPT  all opt -- in !lo out *  192.168.6.110  -> 0.0.0.0/0  
ACCEPT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.6.110  
EPT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.6.110  

Step 18: Check the allowed IP list by using the below command

[root@linuxhelp bin]# vim /etc/csf/csf.allow
Advanced port+ip filtering allowed with the following format
#tcp/udp|in/out|s/d=port|s/d=ip
#Note: IP addressess listed in this file will NOT be ignored by lfd, so they
#can still be blocked. If you do not want lfd to block an IP address you must
#add it to csf.ignore
192.168.6.110 # Manually allowed: 192.168.6.110 (-) - Fri Apr  8 17:41:31 2022

[root@linuxhelp bin]# csf -ar 192.168.6.110
Removing rule...
ACCEPT  all opt -- in !lo out *  192.168.6.110  -> 0.0.0.0/0  
ACCEPT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.6.110  
192.168.6.110 # Manually allowed: 192.168.6.110 (-) - Fri Apr  8 17:38:22 2022

[root@linuxhelp bin]# csf -d 192.168.6.120
Adding 192.168.6.120 to csf.deny and iptables DROP...
DROP  all opt -- in !lo out *  192.168.6.120  -> 0.0.0.0/0  
LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.6.120

[root@linuxhelp bin]# vim /etc/csf/csf.deny

###############################################################################
#The following IP addresses will be blocked in iptables# CIDR addressing allowed with a quaded IP (e.g. 192.168.254.0/24)
#Only list IP addresses, not domain names (they will be ignored)
#Note: If you add the text "do not delete" to the comments of an entry then
#See readme.txt for more information regarding advanced port filtering
192.168.6.120 # Manually denied: 192.168.6.120 (-) - Sat Apr  9 09:17:01 2022

[root@linuxhelp bin]# csf -dr 192.168.6.120
Removing rule...
DROP  all opt -- in !lo out *  192.168.6.120  -> 0.0.0.0/0  
LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.6.120 

[root@linuxhelp bin]# csf -r 
Flushing chain `INPUT'
Flushing chain `OUTPUT'
csf: FASTSTART loading DROP no logging (IPv4)
csf: FASTSTART loading DROP no logging (IPv6)
LOCALINPUT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  
*WARNING* Binary location for [SENDMAIL] [/usr/sbin/sendmail] in /etc/csf/csf.conf is either incorrect, is not installed or is not executable
*WARNING* Missing or incorrect binary locations will break csf and lfd functionality
*WARNING* RESTRICT_SYSLOG is disabled. See SECURITY WARNING in /etc/csf/csf.conf.