CSF (Config Server Firewall) is a firewall configuration script created to provide better security for your server while giving you an easy to use, advanced interface for managing your firewall settings. CSF configures your server’s firewall to lock down public access to services and only allow certain connections, such as logging in to FTP, checking your email, or loading your websites which makes your server more secure. CSF can detect when someone is logging into the server via SSH and alerts you when this user tries to use the "su" command on the server to get higher privileges. CSF is a good security solution for hosting servers and can be integrated into the user interface (UI) of WHM/cPanel, DirectAdmin, and Webmin.
You don't have to own any special kind of hardware to install Config server Firewall on your server all you'll have to do is own a CentOS 7 server and root privileges over it. You can switch between non root user to root user using
sudo -i command.
Installing CSF and Dependencies
CSF is based on Perl so you'll have to install perl first. You'll also need wget package and a text editor to install CSF, here we are using nano text editor you can have any text editor of your choice.
yum -y install wget nano perl-libwww-perl.noarch perl-Time-HiRes
Next go to the "/usr/src/" directory and download CSF using wget command as shown in the below commands.
We have successfully downloaded the CSF archive file now you'll have to extract this archive file and then install it using following command:
tar -xzf csf.tgz
You should get a message stating " installation is completed " at the end of this process.
Now let's check that CSF really works on this server and to do so please go to the "/usr/local/csf/bin/" directory, and run "csftest.pl" using following commands:
You should see a result stating that "csf should function on this server" on your screen, this indicates that CSF is running without problems on your server.
Before going through the configuration process of CSF you'll have to stop and disable the default firewalld services of CentOS 7 server and to do so run following command:
systemctl stop firewalld
systemctl disable firewalld
Now we can configure the CSF on our server so go to the CSF configuration directory and edit configuration file using any text editor you want but here we are using nano text editor.
Find "TESTING " on line 11 and change it to
TESTING = "0", save the file and exit from the text editor for applying the firewall configuration.
Next, start CSF and LFD services using systemctl command as shown below.
systemctl start csf
systemctl start lfd
Now enable these services to start at boot time using following commands.
systemctl enable csf
systemctl enable lfd
You can check the list of default rules using
csf -l command:
Basic CSF Commands
There are some basic CSF commands given and explained below:
csf -s<- Run this command to start and enable firewall rules.
csf -f<- Run this command to stop or flush the firewall rules
csf -r<-Run this command to reload the firewall rules
csf -a yourIP<- Allow an IP and add it to csf.allow and you should see something similar to this in result.
Adding yourIP to csf.allow and iptables ACCEPT... ACCEPT all opt -- in !lo out * yourIP -> 0.0.0.0/0 ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> yourIP
Use following command to remove and delete an IP from csf.allow and result should be similar to this.
csf -ar yourIP
Removing rule... ACCEPT all opt -- in !lo out * yourIP -> 0.0.0.0/0 ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> yourIP
Use Following command to deny an IP and add to csf.deny.
csf -d yourIP
Adding yourIP to csf.deny and iptables DROP... DROP all opt -- in !lo out * yourIP -> 0.0.0.0/0 LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> yourIP
Use following command to remove and delete an IP from csf.deny.
csf -dr yourIP
Removing rule... DROP all opt -- in !lo out * yourIP -> 0.0.0.0/0 LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> yourIP
Use following command to remove and Unblock all entries from csf.deny.
DROP all opt -- in !lo out * yourIP1 -> 0.0.0.0/0 LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> yourIP1 DROP all opt -- in !lo out * yourIP2 -> 0.0.0.0/0 LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> yourIP2 csf: all entries removed from csf.deny
In this tutorial we've learned how to install and configure CSF on a CentOS 7 server. It has many features and can support web-based management tools like cPanel / WHM, DirectAdmin and Webmin.