Installing and configuring CSF on CentOS 7.
I have been using CSF (ConfigServer Security and Firewall) in my Linux systems for a while now with great results. CSF is more than a Firewall software, it is also an SPI (Stateful Packet Inspection), LID (Login/Intrusion Detection), and an Application Security software. But the best part of CSF is not how powerful and reliable it is but how easy is to install, configure and use.
In this post, I will show how to install and do some basic configuration of CSF on CentOS 7.
Disable default Firewall###
The first step will be to disable firewalld on your system. To do this:
[root@webserver ~]# systemctl disable firewalld
[root@webserver ~]#systemctl stop firewalld
Verify that firewalld is not running:
[root@webserver ~]# systemctl status firewalld
firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled)
Active: inactive (dead)
Installing CSF###
We are going to start by installing perl-libwww-perl on the system.
[root@webserver ~]# yum install perl-libwww-perl -y
Now we are going to download the CSF software to /tmp on the system:
[root@webserver ~]# wget -P /tmp/ http://www.configserver.com/free/csf.tgz
Uncompressing the application:
[root@webserver ~]# cd /tmp/
[root@webserver ~]# tar zxvf csf.tgz; cd csf
Runnign the installation:
[root@webserver ~]# ./install.sh
At this point, CSF is installed on the system. The next step will be to configure it.
Configuring CSF###
The first thing that we will do is to check that CSF has all the required iptables modules to run on the system. In order to do that we will use a provided script (/etc/csf/csftest.pl) and check that result output confirms that CSF could run on the system.
To to that execute /etc/csf/csftest.pl:
[root@webserver ~]# /etc/csf/csftest.pl
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK
RESULT: csf should function on this server
Now that we verified that CSF will function properly we are going to proceed to configure it. In CentOS and other RHEL based Linux OS the most important configuration files to edit are:
-
csf.conf (main configuration file)
-
csf.allow (list of IPs and CIDRs that will be always accepted by the server)
-
csf.deny (list of IPs and CIDRs that will be always blocked by the firewall)
-
csf.ignore (list of IPs and CIDRs that should be ignored and not block if detected)
In the main configuration file (csf.conf) there are 9 settings that are really important to know:
-
TCP_IN (the list of TCP ports that will allow traffic in the system, delimited by commas)
-
TCP_OUT (the list of TCP ports that will allow traffic to go out from the system, delimited by commas)
-
UDP_IN (the list of UDP ports that will allow traffic in the system, delimited by commas )
-
UDP_OUT (the list of UDP ports that will allow traffic to go out from the system, delimited by commas)
-
TESTING (the lfd service will not start until this value is equal 1, the accepted values are 1=on and 0=off)
-
ICMP_IN (allow the system to respond to ICPM requests (e.g: ping))
-
ICMP_OUT (allows ICMP request to go out (ping from system)
-
CC_DENY ( list of country codes to deny access to the system, list resides at: http://www.maxmind.com/app/geolitecountry)
-
CC_ALLOW (list of country codes to allow access to the system, list resides at: http://www.maxmind.com/app/geolitecountry)
In this example I will configure CSF to allow access to the next ports:
- 22 – SSH
- 80 – WEB
- 443 – SSL WEB
We will also block access to the next countries :
- Russia
- China
In order to do that we will edit /etc/csf/csf.conf and set it to the next values:
TCP_IN = “22,80,443”
TCP_OUT = “20,21,22,25,53,80,110,113,443,587,993,995”
UDP_IN = “20,53”
UDP_OUT = “20,21,53,113,123”
ICMP_IN = “1”
ICMP_OUT = “1”
CC_DENY = “RU,CN”
TESTING = “0”
You should not touch anything else for this default config.
After this we will restart the services for csf and lfd:
[root@webserver ~]# service csf start
[root@webserver ~]# service lfd start
Useful commands###
Here are some useful CLI commands to manage CSF:
- csf -d IP (deny access to the IP)
- csf -a IP (allows access to the IP)
- csf -r (restore rules)
- csf -u (update csf)
- csf -e (start the service)
Other settings###
Besides the configurations settings explained before, here is a list of some of the other common one:
-
DENY_IP_LIMIT (number of blocked IP addresses CSF keeps track)
-
ICMP_IN_LIMIT (number of ICMP requests allowed from one IP address within a specified amount of time)
-
PACKET_FILTER (filter invalid, unwanted and illegal packets)
-
CONNLIMIT (limits the number of concurrent active connections on one port)
For more information: http://forum.configserver.com/