ConfigServer Firewall, also known as CSF, is a firewall configuration script created to provide better security for your server while giving you an easy to use, advanced interface for managing your firewall settings. CSF configures your server’s firewall to lock down public access to services and only allow certain connections, such as logging in to FTP, checking your email, or loading your websites.
This tutorial is done on a Centos7 64bit server for web services. All the succeeding commands should be executed with root permissions by logging in as root. The server that I have is configured for IPV4, if your server is configured for IPV6 you should protect both IPV4 & IPV6 at the same time.
Some of the features CSF can provide are:
...and many more.
We will need the following to be able to successfully setup CSF:
- An CentOS 7 x64 VPS server
- Root Access to the server
- An SSH client (You can download Putty or Bitvise depends on your operating system and liking)
When you have all this ingredients we can now start setting up CSF. Please follow the guide carefully, remember, you can always copy and paste the commands below for ease of installation and configuration.
To install CSF we will try to update or server first.
sudo yum update
And install the dependencies and CSF itself
sudo yum install wget vim perl-libwww-perl.noarch perl-Time-HiRes
Extract the .tar file and enter the folder.
tar -xzf csf.tgz
If all is installed properly you should get the following information.
Don't forget to: 1. Configure the following options in the csf configuration to suite your server: TCP_*, UDP_* 2. Restart csf and lfd 3. Set TESTING to 0 once you're happy with the firewall, lfd will not run until you do so Adding current SSH session IP address to the csf whitelist in csf.allow: Adding 188.8.131.52 to csf.allow only while in TESTING mode (not iptables ACCEPT) *WARNING* TESTING mode is enabled - do not forget to disable it in the configuration Installation Completed
Now we will check if CSF is really working on this server. We will do a test to verify.
If you see the result as shown below then CSF should function without any problems on your server.
Testing ip_tables/iptable_filter...OK Testing ipt_LOG...OK Testing ipt_multiport/xt_multiport...OK Testing ipt_REJECT...OK Testing ipt_state/xt_state...OK Testing ipt_limit/xt_limit...OK Testing ipt_recent...OK Testing xt_connlimit...OK Testing ipt_owner/xt_owner...OK Testing iptable_nat/ipt_REDIRECT...OK Testing iptable_nat/ipt_DNAT...OK RESULT: csf should function on this server
CentOS7 has a built in firewall called firewalld. We need to stop and disable it before activating CSF.
systemctl stop firewalld
systemctl disable firewalld
Then we shall go to the CSF configuration file and edit to change testing to production phase. Go to "/etc/csf/" and edit the file "csf.conf".
Change TESTING to 0.
TESTING = "0"
Save and exit the file.
You can now run CSF and LFD by the below commands.
systemctl start csf
systemctl start lfd
Then enable CSF and LFD to be started at boot.
systemctl enable csf
systemctl enable lfd
To see list of rules.
To restart CSF.
Allowing an ip in csf.allow.
csf -a 184.108.40.206
Will output the following response from CSF:
Adding 220.127.116.11 to csf.allow and iptables ACCEPT... ACCEPT all opt -- in !lo out * 18.104.22.168 -> 0.0.0.0/0 ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 22.214.171.124 You have new mail in /var/spool/mail/root
Removing an ip from csf.allow.
csf -ar 126.96.36.199
Will result in:
Removing rule... ACCEPT all opt -- in !lo out * 188.8.131.52 -> 0.0.0.0/0 ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 184.108.40.206
Denying an ip and adding it to csf.deny.
csf -d 220.127.116.11
Will result in:
Adding 18.104.22.168 to csf.deny and iptables DROP... DROP all opt -- in !lo out * 22.214.171.124 -> 0.0.0.0/0 LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 126.96.36.199 You have new mail in /var/spool/mail/root
Removing an ip from csf.deny.
csf -dr 188.8.131.52
Removing rule... DROP all opt -- in !lo out * 184.108.40.206 -> 0.0.0.0/0 LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 220.127.116.11
Remove all entries in csf.deny.
csf: all entries removed from csf.deny
Let us go back to CSF configuration file.
Blocking or allowing only certain countries from connecting to your server by entering the country code in CC_DENY or CC_ALLOW.
CC_DENY = "BZ,CN,US" CC_ALLOW = "ID,PH,FR"
Limit the number of IP's kept in the /etc/csf/csf.deny file.
DENY_IP_LIMIT = "50"
Enable SYN Flood Protection. This option configures iptables to offer some protection from tcp SYN packet DOS attempts.
SYNFLOOD = "1" SYNFLOOD_RATE = "100/s" SYNFLOOD_BURST = "150"
Port Flood Protection. This option configures iptables to offer protection from DOS attacks against specific ports.
PORTFLOOD = 22;tcp;5;300,80;tcp;20;1
Means: 5 connections per IP-address per 300 seconds to the ssh server; and 20 connections per IP-address per second to the httpd server
This option allows access from the following countries to specific ports listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP.
CC_ALLOW_PORTS = "QA, PH, SA, KG" CC_ALLOW_PORTS_TCP = "21,22"
This option denies access from the following countries to specific ports listed in CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP
CC_DENY_PORTS = "CN" CC_DENY_PORTS_TCP = "22, 327"
Don't Block IP addresses that are in the csf.allow files.
IGNORE_ALLOW = "1"
Allow Incoming and Outgoing ICMP.
ICMP_IN = "1" ICMP_OUT = "1"
Send the Su and SSH Login log by Email.
LF_SSH_EMAIL_ALERT = "1" LF_SU_EMAIL_ALERT = "1" LF_ALERT_TO = "firstname.lastname@example.org"
CSF is a feature rich firewall application, if configured right it will do excellent to protect your server, make sure you understand most of the setup and you'll be fine and protected.