Securing your server is important aspect which should be done on your side. If you’re currently running Linux server you must install and configure Firewall to protect your server from any attack like brute-force attacks, syn flood attaks, port flooding, email bomb / junk spam email, suspicious activities, block traffic and any other attacks from internet.
It doesn’t matter whether you’re currently using Linux server (vps / cloud / dedicated / colocation server) with a web-based control panel or CLI-based interface, you should configure Firewall to protect your server from any attack accros the internet world.
Well, on this today guide I will teach you on how to configuring ConfigServer Security & Firewall (csf) on Debian/Ubuntu & RHEl/CentOS/Fedora server. These tutorial can be applied on Debian 8/9/10, Ubuntu 14.04/16/04/18.04/20.04 and RHEL/CentOS 7/8. Please note, for security reason, don’t using the EOL operating system like RHEL/CentOS 5/6, Debian 7 or Ubuntu 12.04 LTS.
ConfigServer Security & Firewall (csf) is an Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application which developed exclusively for Linux servers. CSF is comprehensive SPI iptables firewall, which is straight-forward, easy and flexible to configure with Login Failure Daemon (lfd). On the backed side, LFD will perform login/intrusion detection system which can block any suppicious login activities on your server.
We should use ConfigServer Security & Firewall (csf) since this CSF have more advanced and comprehensive features than another firewall aplication such as UFW, Firewalld or Iptables. Compared to the other Linux firewall aplication, CSF is more user firendly and effective which mostly using by web hosting providers.
Also, if you are not familiar with command-line interface, CSF has an GUI-Integration with web-based control panel, including cPanel-WHM, Webmin, DirectAdmin, InterWorx, VestaCP, CentOS Web Panel (CWP) and CyberPanel. So, you can easyly to configure any firewall rules for your server.
* VPS / Cloud / Dedicated / Colocation Server
* Server IPv4 Address
* Full-Root Access
* gNome Terminal for Linux Users
* PuTTy SSH Client for Windows users
1.) Install and Configure CSF & LFD Firewall
On Linux server with minimal installation, usually you don’t get any firewall aplication installed inside the system. But, it also depend on your distribution system. For example, on Debian/Ubuntu usually we will get UFW and Iptables as their default firewall aplication. So, simply run the following command to install CSF and LFD.
Enter to directory which you want to save the csf lfd firewall installer. On this tutorial, I will download the csf installer on src or tmp directory.
============================== $ cd /usr/local/src ==============================
Then, download csf installer using wget command.
============================== $ wget https://download.configserver.com/csf.tgz ==============================
After that, you can extract the .tgz file.
============================== $ tar -xzf csf.tgz ==============================
Move to csf directory
============================== $ cd csf ==============================
And then run the installer
============================== $ sh install.sh ==============================
2.) Test Iptables Modules
Test the required iptables modules for CSF and LFD installation using the following command.
============================== $ perl /usr/local/csf/bin/csftest.pl ==============================
3.) Next, let’s configure CSF Firewall.
Simply open csf.conf file using vim, nano your preffered editor. Looks for varibale TESTING = “1”, and you should change that variable from 1 to 0 if you want to enable CSF & LFD.
============================== $ nano /etc/csf/csf.conf ============================== #TESTING = "1" TESTING = "0" ==============================
4.) Set RESTRICT_SYSLOG to 3
By default, RESTRICT_SYSLOG variable is set to 0. So we must change it to 3. It’s strongly recomended to set the value to 3 in order to restrict syslog/rsyslog access to RESTRICT_SYSLOG_GROUP.
============================== $ RESTRICT_SYSLOG = "3" ==============================
5.) Restart CSF Firewall & LFD
After we’ve changed the CSF rules, don’t forget to restart it using the following command.
============================== $ csf -r $ lfd -r ==============================
To enable and disable CSF & LFD
$ csf -e
$ csf -x
6.) Install Perl Modules or Required Software Dependencies
Usually you will face some issues after installing and configuring ConfigServer Security & Firewall (CSF and LFD). This can be shown on the logs screen when you run csf -r command for the firts time. So simply install the following Perl modules as software dependencies for CSF and LFD.
# On RPM-based systems (RHEL / CentOS / Fedora)
============================== $ yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch perl-GDGraph ==============================
*Or you can use dnf command for RHEL / CentOS 8 / Fedora 33/34
# On APT-based systems (Debian / Ubuntu):
============================== $ apt-get install libwww-perl liblwp-protocol-https-perl libgd-graph-perl ==============================
*Or simply using apt command for Debian 9/10 or Ubuntu 18.04/20.04 lTS+.
7.) Block Specific Ports
If you have a different rule which forced you to blocks specific ports, simply blocks that ports on SECTION:IPv4 Port Settings and SECTION:IPv6 Port Settings. You can block spesific port, for example default port 22 if you have change it to another port.
Usually after you have installed CSF and LFD, the default rules or configuration as follow:
SECTION:IPv4 Port Settings
============================== # This option should be set to "1" in all other circumstances LF_SPI = "1" # Allow incoming TCP ports TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995" # Allow outgoing TCP ports TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995" # Allow incoming UDP ports UDP_IN = "20,21,53,80,443" # Allow outgoing UDP ports # To allow outgoing traceroute add 33434:33523 to this list UDP_OUT = "20,21,53,113,123" ==============================
*SECTION:IPv6 Port Settings
============================== # These changes are not necessary if the SPI firewall is used IPV6_SPI = "1" # Allow incoming IPv6 TCP ports TCP6_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995" # Allow outgoing IPv6 TCP ports TCP6_OUT = "20,21,22,25,53,80,110,113,443,587,993,995" # Allow incoming IPv6 UDP ports UDP6_IN = "20,21,53,80,443" # Allow outgoing IPv6 UDP ports # To allow outgoing traceroute add 33434:33523 to this list UDP6_OUT = "20,21,53,113,123" ==============================
Installing and configuring ConfigServer Security & Firewall (CSF & LFD) on Linux based-server is quite easy and shoulb be done under 10 minutes. You just need relax time to perform this simple task on your Linux server. Happy coding… 🙂