2

To install ConfigServer Security & Firewall (CSF)

Firewalls is very useful and much powerful way to add security to servers. It protects your server from Malware, DDOS, Brute force, DOS, backdoors, rootkits and local exploits on your server. In this article we will discuss how to configure ConfigServer CSF firewall in Red Hat, CentOS and Fedora. CSF (ConfigServer Security & Firewall) is advanced firewall and security application. It is an open source application.

To install required CSF Modules

CSF script requires perl modules.

[root@linuxhelp ~]# yum install perl-libwww-perl Loaded plugins: auto-update-debuginfo, fastestmirror, protectbase, refresh- : packagekit, security Setting up Install Process Loading mirror speeds from cached hostfile * base: centos.excellmedia.net * epel: epel.mirror.net.in * epel-debuginfo: epel.mirror.net.in ... ... ... Installed: perl-libwww-perl.noarch 0:5.833-2.el6  Complete!

To download CSF

Use /tmp directory while downloading or installing any new software. Wget command is used to download the CSF script.

[root@linuxhelp ~]# cd /tmp/ [root@linuxhelp tmp]# wget http://www.configserver.com/free/csf.tgz --2016-03-17 09:59:46-- http://www.configserver.com/free/csf.tgz Resolving www.configserver.com... 109.70.137.78, 2a01:c0:2:22::3 Connecting to www.configserver.com|109.70.137.78|:80... connected. HTTP request sent, awaiting response... 301 Moved Permanently ... ... ...  100%[======================================>] 688,544 364K/s in 1.8s  2016-03-17 09:59:49 (364 KB/s) - “csf.tgz” saved [688544/688544]

To remove existing Firewall

The combination APF (Advanced Policy Firewall) +BFD(Brute Force Detection) must be removed in order to avoid the conflicts. Run the following command to remove the existing Firewall.

[root@linuxhelp tmp]# sh /tmp/csf/remove_apf_bfd.sh sh: /tmp/csf/remove_apf_bfd.sh: No such file or directory

Note: I have not installed APF & BFD in before that’s why it say’s no such file or directory.

To install CSF

Tar command is used to change to newly created CSF directory. To install run the installer script.

[root@linuxhelp ~]# cd /tmp/ [root@linuxhelp tmp]# tar -xzf csf.tgz [root@linuxhelp tmp]# cd csf [root@linuxhelp csf]# sh install.sh Selecting installer...  Running csf generic installer  Installing generic csf and lfd  Check we're running as root ... ... ... mode of `/etc/init.d/lfd' retained as 0755 (rwxr-xr-x) mode of `/etc/init.d/csf' retained as 0755 (rwxr-xr-x) `/etc/csf/csfwebmin.tgz' -> `/usr/local/csf/csfwebmin.tgz'  Installation Completed

To configure CSF

The commands above will install and starts CSF in testing mode. To disable Testing mode configure your CSF for TCP_IN, TCP_OUT, UDP_IN and UDP_OUT options. Make the following changes /etc/csf/csf.conf in the file.

# Allow incoming TCP ports TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"  # Allow outgoing TCP ports TCP_OUT = "20,21,22,25,53,80,110,113,443"  # Allow incoming UDP ports UDP_IN = "20,21,53"  # Allow outgoing UDP ports # To allow outgoing traceroute add 33434:33523 to this list UDP_OUT = "20,21,53,113,123"

Note: Disable Testing mode by changing variable TESTING = 1 to TESTING = 0 TESTING = “0”

To start CSF

Enable csf to start at reboot time.

[root@linuxhelp csf]# chkconfig --level 60 csf on [root@linuxhelp csf]# csf -r Flushing chain `INPUT' Flushing chain `FORWARD' Flushing chain `OUTPUT' ... ... ... LOCALINPUT all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 LOCALOUTPUT all opt in * out !lo ::/0 -> ::/0 LOCALINPUT all opt in !lo out * ::/0 -> ::/0

CSF Configuration Usage and Options

csf.conf : The main configuration file for controlling CSF.

csf.deny : The list of denied IPs and CIDR addresses on the firewall.

csf.allow : The list of allowed IPs and CIDR addresses on the firewall.

csf.*ignore : The list of various ignore files of users, IPs.

csf.ignore : The list of ignored IP’s and CIDR addresses on the firewall.

Commands and Options of CSF

Option -r is used to reload all rules.

Option -d is used to deny an IP address

Option -a is used to allow an IP address

# csf -d IPADDRESS

# csf -a IPADDRESS

# csf -r

To deny host

Example

[root@linuxhelp csf]# csf -d 192.168.7.101 Adding 192.168.7.101 to csf.deny and iptables DROP... DROP all opt -- in !lo out * 192.168.7.101 -> 0.0.0.0/0 LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.7.101  [root@linuxhelp csf]# csf -r Flushing chain `INPUT' Flushing chain `FORWARD' ... ... .... LOCALOUTPUT all opt in * out !lo ::/0 -> ::/0 LOCALINPUT all opt in !lo out * ::/0 -> ::/0

To list the rules

[root@linuxhelp csf]# csf -l Chain INPUT (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source des ..... ..... ..... Chain DENYIN (1 references) num pkts bytes target prot opt in out source destination  1 1 165 DROP all -- !lo * 192.168.7.101 0.0.0.0/0  ... ... ...

To verify the output

[root@linuxhelp csf]# ping 192.168.7.101 PING 192.168.7.101 (192.168.7.101) 56(84) bytes of data. ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted

To add allow list

[root@linuxhelp csf]# csf -a 192.168.7.101 Removing 192.168.7.101 from csf.deny... Removing rule... DROP all opt -- in !lo out * 192.168.7.101 -> 0.0.0.0/0 LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.7.101 Adding 192.168.7.101 to csf.allow and iptables ACCEPT... ACCEPT all opt -- in !lo out * 192.168.7.101 -> 0.0.0.0/0 ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.7.101  [root@linuxhelp csf]# csf -r Flushing chain `INPUT' Flushing chain `FORWARD' ... ... ...

To list the rules

[root@linuxhelp csf]# csf -l Chain INPUT (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT tcp -- !lo * 8.8.8.8 0.0.0.0/0 tcp dpt:53  Chain ALLOWOUT (1 references) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT all -- * !lo 0.0.0.0/0 192.168.7.101  .....

To verify output

[root@linuxhelp csf]# ping 192.168.7.101 PING 192.168.7.101 (192.168.7.101) 56(84) bytes of data. 64 bytes from 192.168.7.101: icmp_seq=1 ttl=128 time=1.40 ms 64 bytes from 192.168.7.101: icmp_seq=2 ttl=128 time=0.377 ms 64 bytes from 192.168.7.101: icmp_seq=3 ttl=128 time=0.321 ms 64 bytes from 192.168.7.101: icmp_seq=4 ttl=128 time=0.241 ms 64 bytes from 192.168.7.101: icmp_seq=5 ttl=128 time=0.341 ms ............

To get the list of all options

Type CSF to get the list of all options

[root@linuxhelp csf]# csf csf: v8.16 (generic) csf(1) ... ... ... NAME csf - ConfigServer & Security Firewall  SYNOPSIS csf [OPTIONS] .....

To remove CSF Firewall

Run the following script located under /etc/csf/uninstall.sh directory to remove CSF Firewall.

[root@linuxhelp csf]# /etc/csf/uninstall.sh Uninstalling csf and lfd...  Flushing chain `INPUT' Flushing chain `FORWARD' Flushing chain `OUTPUT' ... ... ... removed directory: `/var/lib/csf/ui' removed directory: `/var/lib/csf'  ...Done

Note: This command will erase CSF firewall completely with all the files and folders.

Thank you! for using Linux Help.

You find this tutorial helpful? Share with your friends to keep it alive.