Julio's Blog

Installing and configuring CSF on CentOS 7.

I have been using CSF (ConfigServer Security and Firewall) in my Linux systems for a while now with great results. CSF is more than a Firewall software, it is also an SPI (Stateful Packet Inspection), LID (Login/Intrusion Detection), and an Application Security software. But the best part of CSF is not how powerful and reliable it is but how easy is to install, configure and use.

In this post, I will show how to install and do some basic configuration of CSF on CentOS 7.

Disable default Firewall

The first step will be to disable firewalld on your system. To do this:

[[email protected] ~]# systemctl disable firewalld

[[email protected] ~]#systemctl stop firewalld

Verify that firewalld is not running:

[[email protected] ~]# systemctl status firewalld
firewalld.service - firewalld - dynamic firewall daemon  
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled)  
Active: inactive (dead)  

Installing CSF

We are going to start by installing perl-libwww-perl on the system.

[[email protected] ~]# yum install perl-libwww-perl -y

Now we are going to download the CSF software to /tmp on the system:

[[email protected] ~]# wget -P /tmp/ http://www.configserver.com/free/csf.tgz

Uncompressing the application:

[[email protected] ~]# cd /tmp/

[[email protected] ~]# tar zxvf csf.tgz; cd csf

Runnign the installation:

[[email protected] ~]# ./install.sh

At this point, CSF is installed on the system. The next step will be to configure it.

Configuring CSF

The first thing that we will do is to check that CSF has all the required iptables modules to run on the system. In order to do that we will use a provided script (/etc/csf/csftest.pl) and check that result output confirms that CSF could run on the system.

To to that execute /etc/csf/csftest.pl:

[[email protected] ~]# /etc/csf/csftest.pl
Testing ip_tables/iptable_filter...OK  
Testing ipt_LOG...OK  
Testing ipt_multiport/xt_multiport...OK  
Testing ipt_REJECT...OK  
Testing ipt_state/xt_state...OK  
Testing ipt_limit/xt_limit...OK  
Testing ipt_recent...OK  
Testing xt_connlimit...OK  
Testing ipt_owner/xt_owner...OK  
Testing iptable_nat/ipt_REDIRECT...OK  
Testing iptable_nat/ipt_DNAT...OK

RESULT: csf should function on this server  

Now that we verified that CSF will function properly we are going to proceed to configure it. In CentOS and other RHEL based Linux OS the most important configuration files to edit are:

In the main configuration file (csf.conf) there are 9 settings that are really important to know:

In this example I will configure CSF to allow access to the next ports:

We will also block access to the next countries :

In order to do that we will edit /etc/csf/csf.conf and set it to the next values:

TCP_IN = “22,80,443”  
TCP_OUT = “20,21,22,25,53,80,110,113,443,587,993,995”  
UDP_IN = “20,53”  
UDP_OUT = “20,21,53,113,123”  
ICMP_IN = “1”  
ICMP_OUT = “1”  
TESTING = “0”  

You should not touch anything else for this default config.

After this we will restart the services for csf and lfd:

[[email protected] ~]# service csf start

[[email protected] ~]# service lfd start

Useful commands

Here are some useful CLI commands to manage CSF:

Other settings

Besides the configurations settings explained before, here is a list of some of the other common one:

For more information: http://forum.configserver.com/

Julio is a Principal Cloud Architect at Red Hat working on Linux, Virtualization, Cloud (OpenStack), and Containers.Julio was born in Cuba but now calls home Austin, TX.