Overview
ConfigServer Security & Firewall (CSF) is a popular firewall configuration script for CentOS servers that offers a high level of security by blocking malicious traffic & allowing only authorized traffic on the server. It is commonly used with the ‘Login Failure Daemon’ (LFD), which scans the server for security issues and login failures.
In this article, we will help you guide you on installing and configuring CSF Firewall on your CentOS server.
Prerequisites
➔ You need Root or sudo access to the CentOS server.
Steps to Install & Configure a CSF Firewall in a CentOS Server
To install the CSF Firewall, you need to execute the commands as follows:
➢ As CSF is based on Perl, you first need to install the Perl library on the server.
yum install wget vim perl-libwww-perl.noarch perl-Time-HiRes
➢ Move into the ‘src’ & download the latest version of CSF from its official website using ‘wget.’
cd /usr/src/ wget https://download.configserver.com/csf.tgz
➢ Once installed, you need to extract the downloaded tar archive and run the installed script.
tar -xzf csf.tgz cd csf sh install.sh
➢ You have to move into the CSF newly extracted folder.
cd csf
➢ Now, execute the CSF settings file named
sh install.sh
➢ Once the installation is complete, you will see this line as a message.
Installation Completed
➢ It’s time to check whether the CSF you installed is working properly or not by executing the commands given below.
cd/usr/local/csf/bin
perl csftest.pl
If you are getting a message like the following, it means your CSF is working without any issues.
Testing ip_tables/iptable_filter…OK
Testing ipt_LOG…OK
Testing ipt_multiport/xt_multiport…OK
Testing ipt_REJECT…OK
Testing ipt_state/xt_state…OK
Testing ipt_limit/xt_limit…OK
Testing ipt_recent…OK
Testing xt_connlimit…OK
Testing ipt_owner/xt_owner…OK
Testing iptable_nat/ipt_REDIRECT…OK
Testing iptable_nat/ipt_DNAT…OK
RESULT: csf should function on this server
Configure the CSF On Your Server
➢ Before you start configuring the CSF, you need to know that in CentOS 7, there is a default firewall application called ‘firewalld’.
You need to disable it using the following command to prevent it from starting at boot.
➔ Stop the ‘firewalld’ service by executing
systemctl stop firewalls
➔ Disable the ‘firewalld’ service by executing
systemctl disable firewalls
➢ Now, go to the csf config directory at/etc/csf/csf.conf and edit the file csf using your desired text editor, such as vim, vi, or nano editor, with the command.
➢ After that, You need to edit the testing configuration from 1 to 0. If you don’t edit this, the lfd daemon will fail to start
TESTING = “0”
➢ Now, you need to move to line 139. In that, check the entry to tcp underscore and list allowed incoming and outgoing ports as comma-separated.
TCP_IN = “20,21,22,25,53,80,110,143,443,465,587,993,995”
TCP_OUT = “20,21,22,25,53,80,110,113,443”
UDP_IN = “20,21,53”
UDP_OUT = “20,21,53,113,123”
➢ Now, you have to start the csf and lfd with the following commands.
systemctl start csf
systemctl start lfd
➢ After that, enable the csf and lfd services that are started when CentOS starts
Systemctl enable csf
systemctl enable lfd
That’s it; your firewall has been installed & configured on the server!