Install and Configure CSF (ConfigServer Firewall) on Centos7 64bit

Introduction

ConfigServer Firewall, also known as CSF, is a firewall configuration script created to provide better security for your server while giving you an easy to use, advanced interface for managing your firewall settings. CSF configures your server’s firewall to lock down public access to services and only allow certain connections, such as logging in to FTP, checking your email, or loading your websites.

This tutorial is done on a Centos7 64bit server for web services. All the succeeding commands should be executed with root permissions by logging in as root. The server that I have is configured for IPV4, if your server is configured for IPV6 you should protect both IPV4 & IPV6 at the same time.

Features

Some of the features CSF can provide are:

• Straight-forward SPI iptables firewall script
• Daemon process that checks for login authentication failures for:
  • Courier imap, Dovecot, uw-imap, Kerio
  • openSSH
  • cPanel, WHM, Webmail (cPanel servers only)
  • Pure-ftpd, vsftpd, Proftpd
  • Mod_security failures (v1 and v2)
  • Exim SMTP AUTH
  • Custom login failures with separate log file and regular expression matching
• SSH login notification
• Excessive connection blocking
• SU login notification
• Server Security Check
• IDS (Intrusion Detection System)

...and many more.

Prerequisites

We will need the following to be able to successfully setup CSF:
- An CentOS 7 x64 VPS server
- Root Access to the server
- An SSH client (You can download Putty[1] or Bitvise[2] depends on your operating system and liking)

When you have all this ingredients we can now start setting up CSF. Please follow the guide carefully, remember, you can always copy and paste the commands below for ease of installation and configuration.

Installing CSF

To install CSF we will try to update or server first.

sudo yum update

And install the dependencies and CSF itself

sudo yum install wget vim perl-libwww-perl.noarch perl-Time-HiRes

cd /usr/src/

wget https://download.configserver.com/csf.tgz

Extract the .tar file and enter the folder.

tar -xzf csf.tgz

cd csf

sh install.sh

If all is installed properly you should get the following information.

Don't forget to:
1. Configure the following options in the csf configuration to suite your server: TCP_*, UDP_*
2. Restart csf and lfd
3. Set TESTING to 0 once you're happy with the firewall, lfd will not run until you do so

Adding current SSH session IP address to the csf whitelist in csf.allow:
Adding 58.42.10.23 to csf.allow only while in TESTING mode (not iptables ACCEPT)
*WARNING* TESTING mode is enabled - do not forget to disable it in the configuration

Installation Completed

Now we will check if CSF is really working on this server. We will do a test to verify.

cd /usr/local/csf/bin/

perl csftest.pl

If you see the result as shown below then CSF should function without any problems on your server.

Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

RESULT: csf should function on this server

Configuring CSF

CentOS7 has a built in firewall called firewalld. We need to stop and disable it before activating CSF.

systemctl stop firewalld

systemctl disable firewalld

Then we shall go to the CSF configuration file and edit to change testing to production phase. Go to "/etc/csf/" and edit the file "csf.conf".

cd /etc/csf/

nano csf.conf

Change TESTING to 0.

TESTING = "0"

Save and exit the file.
You can now run CSF and LFD by the below commands.

systemctl start csf

systemctl start lfd

Then enable CSF and LFD to be started at boot.

systemctl enable csf

systemctl enable lfd

Basics of CSF

To see list of rules.

csl -l

To restart CSF.

csf -r

Allowing an ip in csf.allow.

csf -a 50.25.25.10

Will output the following response from CSF:

Adding 50.25.25.10 to csf.allow and iptables ACCEPT...
ACCEPT  all opt -- in !lo out *  50.25.25.10  -> 0.0.0.0/0
ACCEPT  all opt -- in * out !lo  0.0.0.0/0  -> 50.25.25.10
You have new mail in /var/spool/mail/root

Removing an ip from csf.allow.

csf -ar 50.25.25.10

Will result in:

Removing rule...
ACCEPT  all opt -- in !lo out *  50.25.25.10  -> 0.0.0.0/0
ACCEPT  all opt -- in * out !lo  0.0.0.0/0  -> 50.25.25.10

Denying an ip and adding it to csf.deny.

csf -d 50.31.1.52

Will result in:

Adding 50.31.1.52 to csf.deny and iptables DROP...
DROP  all opt -- in !lo out *  50.31.1.52  -> 0.0.0.0/0
LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 50.31.1.52
You have new mail in /var/spool/mail/root

Removing an ip from csf.deny.

csf -dr 50.31.1.52

Results in:

Removing rule...
DROP  all opt -- in !lo out *  50.31.1.52  -> 0.0.0.0/0
LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 50.31.1.52

Remove all entries in csf.deny.

csf -df

Will output:

csf: all entries removed from csf.deny

Advanced CSF Setup

Let us go back to CSF configuration file.

cd /etc/csf/

nano csf.conf

Blocking or allowing only certain countries from connecting to your server by entering the country code in CC_DENY or CC_ALLOW.

CC_DENY = "BZ,CN,US"
CC_ALLOW = "ID,PH,FR"

Limit the number of IP's kept in the /etc/csf/csf.deny file.

DENY_IP_LIMIT = "50"

Enable SYN Flood Protection. This option configures iptables to offer some protection from tcp SYN packet DOS attempts.

SYNFLOOD = "1"
SYNFLOOD_RATE = "100/s"
SYNFLOOD_BURST = "150"

Port Flood Protection. This option configures iptables to offer protection from DOS attacks against specific ports.

PORTFLOOD = 22;tcp;5;300,80;tcp;20;1

Means: 5 connections per IP-address per 300 seconds to the ssh server; and 20 connections per IP-address per second to the httpd server

This option allows access from the following countries to specific ports listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP.

CC_ALLOW_PORTS = "QA, PH, SA, KG"
CC_ALLOW_PORTS_TCP = "21,22"

This option denies access from the following countries to specific ports listed in CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP

CC_DENY_PORTS = "CN"
CC_DENY_PORTS_TCP = "22, 327"

Don't Block IP addresses that are in the csf.allow files.

IGNORE_ALLOW = "1"

Allow Incoming and Outgoing ICMP.

ICMP_IN = "1"
ICMP_OUT = "1"

Send the Su and SSH Login log by Email.

LF_SSH_EMAIL_ALERT = "1"
LF_SU_EMAIL_ALERT = "1"
LF_ALERT_TO = "mymail@mydomain.tld"

CSF is a feature rich firewall application, if configured right it will do excellent to protect your server, make sure you understand most of the setup and you'll be fine and protected.