Install and set up the Centos 7 64-bit CSF (ConfigServer Firewall)
Overview
ConfigServer Firewall, commonly known as CSF, is a powerful firewall configuration script designed to enhance the security of your server. It provides an intuitive and advanced interface for managing firewall settings, allowing you to secure your server effectively. CSF is adept at configuring your server’s firewall to restrict public access to services, permitting only specific connections such as FTP logins, email access, and website loading.
This tutorial is tailored for a CentOS 7 64-bit server optimized for web services. All subsequent commands must be executed with root permissions by logging in as the root user. Note that the provided instructions assume your server is configured for IPV4. If your server is configured for IPV6, ensure that both IPV4 and IPV6 protection measures are implemented.
Features
CSF boasts a range of features, including:
– A user-friendly SPI iptables firewall script
– Daemon process monitoring login authentication failures for various services, including:
– Courier IMAP, Dovecot, UW-IMAP, Kerio
– openSSH
– cPanel, WHM, Webmail (cPanel servers only)
– Pure-ftpd, vsftpd, Proftpd
– Mod_security failures (v1 and v2)
– Exim SMTP AUTH
– Custom login failures with a separate log file and regular expression matching
– SSH login notifications
– Blocking excessive connections
– SU login notifications
– Server Security Check
– Intrusion Detection System (IDS)
…and numerous other functionalities to enhance the security and monitoring capabilities of your server.
Requirements
To successfully set up CSF, make sure you have the following:
- A CentOS 7 x64 VPS server
- Root access to the server
- An SSH client (Download Putty[1] or Bitvise[2] based on your operating system and preference)
Once you have all these prerequisites, you can commence the CSF setup. Follow the guide attentively, and feel free to utilize copy and paste for the commands provided to simplify the installation and configuration process.
CSF Installation Guide
Before installing CSF, let’s ensure that our server is up to date by performing an update. This step helps ensure a smooth installation process.
sudo yum update
and set up both CSF and its dependencies.
sudo yum install wget vim perl-libwww-perl.noarch perl-Time-HiRes
cd /usr/src/
wget https://download.configserver.com/csf.tgz
Open the folder after extracting the.tar file.
tar -xzf csf.tgz
cd csf
sh install.sh
Upon successful installation, you should receive the following information.
Don't forget to:
1. Configure the following options in the csf configuration to suite your server: TCP_*, UDP_*
2. Restart csf and lfd
3. Set TESTING to 0 once you're happy with the firewall, lfd will not run until you do so
Adding current SSH session IP address to the csf whitelist in csf.allow:
Adding 58.42.10.23 to csf.allow only while in TESTING mode (not iptables ACCEPT)
*WARNING* TESTING mode is enabled - do not forget to disable it in the configuration
Installation Completed
cd /usr/local/csf/bin/
perl csftest.pl
If the result appears as shown below, then CSF should function smoothly on your server.
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK
RESULT: csf should function on this serverEssence of CSF
To view the rules’ list.
csl -l
To restart CSF.
csf -r
Allowing an ip in csf.allow.
csf -a 50.25.25.10
Will output the following response from CSF:
Adding 50.25.25.10 to csf.allow and iptables ACCEPT...
ACCEPT all opt -- in !lo out * 50.25.25.10 -> 0.0.0.0/0
ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 50.25.25.10
You have new mail in /var/spool/mail/root
Removing an ip from csf.allow.
csf -ar 50.25.25.10
Will result in:
Removing rule...
ACCEPT all opt -- in !lo out * 50.25.25.10 -> 0.0.0.0/0
ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 50.25.25.10
Denying an ip and adding it to csf.deny.
csf -d 50.31.1.52
Will result in:
Adding 50.31.1.52 to csf.deny and iptables DROP...
DROP all opt -- in !lo out * 50.31.1.52 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 50.31.1.52
You have new mail in /var/spool/mail/root
Removing an ip from csf.deny.
csf -dr 50.31.1.52
Results in:
Removing rule...
DROP all opt -- in !lo out * 50.31.1.52 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 50.31.1.52
Remove all entries in csf.deny.
csf -df
Will output:
csf: all entries removed from csf.denyEfficient CSF Configuration
Let’s return to the CSF configuration file.
cd /etc/csf/
nano csf.conf
To block or allow only specific countries from connecting to your server, you can achieve this by entering the country code in either the CC_DENY or CC_ALLOW configuration in CSF.
CC_DENY = "BZ,CN,US"
CC_ALLOW = "ID,PH,FR"
Limit the number of IP’s kept in the /etc/csf/csf.deny file.
DENY_IP_LIMIT = "50"
To enable SYN Flood Protection, configure iptables to provide protection against TCP SYN packet Denial of Service (DOS) attempts.
SYNFLOOD = "1"
SYNFLOOD_RATE = "100/s"
SYNFLOOD_BURST = "150"
To implement Port Flood Protection, configure iptables to provide protection against Denial of Service (DOS) attacks targeting specific ports.
PORTFLOOD = 22;tcp;5;300,80;tcp;20;1
This configuration signifies the following:
- 5 connections per IP address every 300 seconds to the SSH server.
- 20 connections per IP address per second to the HTTPD server.
Additionally, this option permits access from the specified countries to the specific ports listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP.
CC_ALLOW_PORTS = "QA, PH, SA, KG"
CC_ALLOW_PORTS_TCP = "21,22"
This option denies access from the following countries to specific ports listed in CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP
CC_DENY_PORTS = "CN"
CC_DENY_PORTS_TCP = "22, 327"
Don’t Block IP addresses that are in the csf.allow files.
IGNORE_ALLOW = "1"
Permit both ICMP incoming and outgoing.
ICMP_IN = "1"
ICMP_OUT = "1"
Email the SSH and Su login logs.
LF_SSH_EMAIL_ALERT = "1"
LF_SU_EMAIL_ALERT = "1"
LF_ALERT_TO = "mymail@mydomain.tld"
CSF is a feature-rich firewall application, and when configured correctly, it proves to be an excellent tool for protecting your server. Ensure a good understanding of the setup, and you’ll have a secure and well-protected server environment.
[1]: https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
[2]: https://www.bitvise.com/ssh-client-download