Question

How to install and configure Config Server Firewall (CSF) on CentOS

I was recently asked if there is an easier way to manage your server’s Firewall on servers with web-based interfaces like cPanel, CentOS Web Panel and with servers without GUI admin panels as well.


Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

alexdo
Site Moderator
Site Moderator badge
June 9, 2020
Accepted Answer

Introduction

Config Server Firewall (or CSF) is a free and advanced firewall for most Linux distributions and Linux based VPS. In addition to the basic functionality of a firewall – filtering packets – CSF includes other security features, such as login/intrusion/flood detections.

As mentioned CSF includes UI integration for cPanel, DirectAdmin and Webmin, but this tutorial only covers the command line usage. CSF is able to recognize many attacks, such as port scans, SYN floods, and login brute force attacks on many services. It is configured to temporarily block clients who are detected to be attacking the cloud server.

The full list of supported operating systems and features can be found on ConfigServer’s website.

Installing ConfigServer Firewall

  • First we need to make sure that perl is installed

yum install wget vim perl-libwww-perl.noarch perl-Time-HiRes

  • Then we can go ahead and download CSF

cd /usr/src/ wget https://download.configserver.com/csf.tgz

  • The next step is to extract the downloaded tar archive and run the install script:

tar -xzf csf.tgz cd csf sh install.sh

Configure CSF

  • CentOS 7 has a default firewall application called “firewalld”. You have to stop firewalld and remove it from the startup.

Stop firewalld:

systemctl stop firewalld

and disable it:

systemctl disable firewalld

  • Now we can enable CSF disabling the default TESTING state:

cd /etc/csf/

next open the csf.conf file using your favourite text editor - vim, vi ,nano and etc

vim csf.conf

On line 11 you will see that the "TESTING " is set to “1” , make sure this is set to “0”

TESTING = "0"

  • Now we can start and enable both lfd and csf

````systemctl start csf systemctl start lfd```

systemctl enable csf systemctl enable lfd

  • As mentioned CSF can be configured by editing its configuration file csf.conf in /etc/csf:

The less access there is to your VPS, the more secure your server is. However, not all ports can be closed as the clients must be able to use your services.

The ports opened by default are the following:

TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"

TCP_OUT = "20,21,22,25,53,80,110,113,443"

UDP_IN = "20,21,53"

UDP_OUT = "20,21,53,113,123"

It is possible that you are not using all of these services, so you can close the ports that are not used. I would recommend closing all ports (removing port number form the list), and then adding the ports you need.

Below are port sets that should be opened if you are running the listed service:

On any server:

TCP_IN: 22,53
TCP_OUT: 22,53,80,113,443
UPD_IN: 53
UPD_OUT: 53,113,123
  • CSF offers a vast number of different options in its configuration files. Some of the most commonly used settings are explained below.

ICMP_IN Setting ICMP_IN to 1 allows ping to your server and 0 refuses are such requests. If you are hosting any public services, it is recommended to allow ICMP requests, as these can be used to determine whether or not your service is available.

ICMP_IN_LIMIT Sets the number of ICMP (ping) requests allowed from one IP address within a specified amount of time. There is usually no need to change the default value (1/s)

DENY_IP_LIMIT Sets the number of blocked IP addresses CSF keeps track of. It is recommended to limit the number of denied IP addresses as having too many blocks may slow down the server performance.

DENY_TEMP_IP_LIMIT Same as above, but for temporary IP address blocks.

PACKET_FILTER Filter invalid, unwanted and illegal packets.

SYNFLOOD, SUNFLOOD_RATE and SYNFLOOD_BURST This offers protection against SYN flood attacks. This slows down the initialization of every connection, so you should enable this only if you know that your server is under attack.

  • Applying the Changes

Whenever you are altering the settings in csf.conf, you should save the files and restart CSF in order for the changes to take effect.

Once you are ready with the configuration, close and save the file.

After this, you should apply the changes by restarting CSF with command:

csf -r

Additionally CSF can be configured to track processes in order to detect suspicious processes or open network ports, and send an email to the system administrator if any is detected. This may help you to identify and stop a possible exploit on your VPS. In order to set this open the csf.conf file and change the value from 0 to 1 for the following features:

LF_SSH_EMAIL_ALERT = "1" LF_SU_EMAIL_ALERT = "1"

also change the email address:

LF_ALERT_TO = "mymail@mydomain.tld"

CSF usage

  • In order to start the Firewall:

csf -s

  • In order to flush or stop the Firewall rules:

csf -f

  • In order to reload the current rules:

csf -r

  • In order to allow IP and add it to the /etc/csf/csf.allow

csf -a 1.1.1.1

  • In order to deny an IP and add it to the /etc/csf/csf.deny

csf -d 1.1.1.1

  • In order to deny an IP address temporary for an hour:

csf -td 1.1.1.1

CSF provide an option to allow and deny access by country using the CIDR (Country Code).

In order to list more than one country you just need to separate them using comas:

CC_DENY = "AB,CD,EF"

You may find a list of ISO 3166-1 alpha-2 codes at https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2

Conclusion

CSF is an application firewall for iptables provided for Linux servers which is easy to install and operate and on top of that comes with a lot of handy build-in options which you can use to make sure the security on your droplet is properly configured.

If you’re looking for an article to install CSF on Ubuntu we already have one: https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-config-server-firewall-csf-on-ubuntu

Hope this helps!

Regards, Alex

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.

Become a contributor

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow — whether you're running one virtual machine or ten thousand.

Learn more
DigitalOcean Cloud Control Panel