LINUX SECURITY

Config Server Firewall Installation

config-server-security
Firewall Installation

CSF: Config Server Firewall Installation

An alternative firewall to APF is that the Config Server Firewall, or CSF:

CSF is mostly thought-about a additional advanced firewall as there are additional configuration choices compared to alternative firewalls, whereas still being easy enough to put in and tack that even novice directors will use it. this text can provide you with a straightforward summary regarding a way to install and setup CSF and its security plugin LFD (Login Failure Daemon).

Note:

This post assumes that you just are aware of SSH and basic instruction navigation. These directions apply primarily to customers UN agency have VPS or Dedicated servers. If you are doing not have root-level access to your server account you’ll not be able to create these changes.

Removing Your Current Firewall:

To prevent any conflicts operational we are going to have to be compelled to take away your current firewall. the foremost common software system firewalls on our dedicated servers square measure APF and CSF, therefore we’ve got provided directions on a way to take away APF below. If you’re employing a totally different software system firewall make certain to follow that programs uninstall directions before continued. when finishing the uninstall continue with the CSF installation below.

Using Yum to Remove APF:

If it was installed via yum, which is most likely, you will first need to identify the name of your APF package:

rpm -qa |grep -i apf

In this case:

[root@host ~]# rpm -qa | grep apf
apf-9.6_5-1

In order to remove that package, and get your server ready for CSF installation, run the following command:

[root@host ~]# rpm -e apf-9.6_5-1

If you see this:

[root@host ~ ]# rpm -e apf-9.6_5-1
error: Failed dependencies:
apf >= 9.6_5-1 is needed by (installed) bfd-1.2-1.noarch

It means you have BFD installed, and it will need to be removed before you can proceed to removing APF:

[root@host ~ ]# rpm -e bfd-1.2-1.noarch

Then attempt to remove apf again:

[root@host ~ ]# rpm -e apf-9.6_5-1

Removing Source Installed APF:

This can be a small amount trickier, and if you’re undecided what you’re doing you will wish to submit a price ticket to our support team. If you’re assured and need to proceed you may realize a listing of commands below that you just will use to get rid of APF if it’s put in within the commonest CentOS directories.

READ  10 Linux restorecon Command Examples to Restore SELinux Context

Stopping APF and iptables clears all of the foundations from your firewall and ensures that removing the APF installation won’t cause access problems:

[root@host ~ ]# /etc/init.d/iptables stop
[root@host ~ ]# /etc/init.d/apf stop

Remove all of the APF related files:

[root@host ~ ]# rm -Rfv /etc/apf
[root@host ~ ]# rm -fv /etc/cron.daily/fw
[root@host ~ ]# rm -fv /etc/init.d/apf

Remove APF from the list of programs that start at boot:

 

[root@host ~ ]# chkconfig apf off

If you get error on any of these commands that you simply don’t perceive please open a price ticket with our support team and that we can do everything we will to help you.

Installing CSF:

Installing CSF ought to be as straightforward as downloading the supply file to your server and putting in it. All commands below ought to be dead on your server via SSH, not on your native PC.

The first few steps of the installation square measure identical whether or not it’s a cPanel server or a non-cPanel server.

Retrieving the Package:

Best apply once putting in any software package from source: Use a brief directory on a partition with lots of house.

On our dedicated cPanel servers you’ll have already got a directory that we have a tendency to typically use for such things known as ‘temp’ on the house partition:

[root@host ~ ]# cd /home/temp/

It is a good idea to check your disk space usage before proceeding, just to be sure there is plenty available:

[root@host ~ ]# df -h

Use ‘wget’ to retrieve CSF install code:

[root@host ~ ]# wget http://www.configserver.com/free/csf.tgz

Once the download is complete, you will see something similar to the following, and be given a command prompt again:

14:53:02 (410.05 KB/s) - `csf.tgz' saved [487272/487272]

Next: Decompress the CSF install files and change directories to the newly created ‘csf’ directory:

[root@host ~ ]# tar zxvf csf.tgz
[root@host ~ ]# cd csf

This is where the paths diverge: cPanel server, or non-cPanel server.

[root@host /home/temp/csf/ ]# ./install.cpanel.sh

If you are running a non-cpanel redhat server:

[root@host /home/temp/csf/ ]# ./install.sh

Either method you’ll be able to check the output of the script because it is running and it’ll tell you everything it’s done. At the end, you’ll see one thing just like the following:

READ  Grant Permissions to a MySQL User on Linux via Command Line

 

TCP ports currently listening for incoming connections:

21,22,25,53,80,110,143,443,465,993,995,2077,2078,2082,2083,2086,2087,2095,2096,3306

UDP ports currently listening for incoming connections:

53,123

Note: The port details above are for information only, csf hasn’t been auto-configured.

 

Don’t forget to:

  1. Configure the TCP_IN, TCP_OUT, UDP_IN and UDP_OUT options in the csf configuration to suite your server
  2. Restart csf and lfd
  3. Set TESTING to 0 once you’re happy with the firewall

 

Adding current SSH session IP address to the csf whitelist in csf.allow:

Adding 10.30.6.17 to csf.allow only while in TESTING

mode (not iptables ACCEPT)

*WARNING* TESTING mode is enabled

– do not forget to disable it in the configuration

 

Installation Completed.

 

To start testing CSF, start it up:

[root@host ~ ]# /etc/init.d/csf restart

Once you’ve got completed your testing be sure to require CSF out of testing mode by changing the flag within the csf.conf:

Edit the configuration along with your favorite editor, during this case we are going to use vi:

[root@host ~ ]# vi /etc/csf/csf.conf

Find this block of text near the top of the configuration file:

# Testing flag - enables a CRON job that clears iptables incase of
# configuration problems when you start csf. This should be enabled until you
# are sure that the firewall works - i.e. incase you get locked out of your
# server! Then do remember to set it to 0 and restart csf when you're sure
# everything is OK. Stopping csf will remove the line from /etc/crontab
TESTING = "1"

Edit the last line of that block of text so that it reflects testing being disabled:

TESTING = "0"

Finally, restart CSF:

[root@host ~ ]# /etc/init.d/csf restart

Your CSF firewall is up and running! Congratulations!

Common Installation Errors:

If you see an error about libwww not being installed you can install it with yum or cpan:

yum install perl-libwww-perl

OR

perl -MCPAN -e 'install Bundle::LWP'

Beginning CSF: Making Changes Using the Command Line:

Updating CSF using the command line interface is simple by design!

READ  Whitelisting in ModSecurity

Here are the most common commands you will be using:

  • csf -d IPADDRESS will deny an IP.
  • csf -a IPADDRESS will allow an IP.
  • csf -r will reload all rules.

 

If you forget the command you are looking for just type ‘csf‘ on the command line and you will receive an list of all of your options:

 

[root@host ~ ]#  csf

ConfigServer Security & Firewall (http://www.configserver.com/cp/csf/)

csf: v4.17

(c)2006, Way to the Web Limited (http://www.waytotheweb.com)

Usage: /usr/sbin/csf [option] [value]

Option              Meaning

-h, --help          Show this message

-l, --status        List/Show iptables configuration

-s, --start         Start firewall rules

-f, --stop          Flush/Stop firewall rules

-r, --restart       Restart firewall rules

-a, --add ip        Add an IP address to be whitelisted to /etc/csf.allow

-d, --deny ip       Add an IP address to be blocked to /etc/csf.deny

-dr, --denyrm ip    Remove and unblock an IP address in /etc/csf.deny

-c, --check         Checks for updates to csf+lfd but does not perform an upgrade

-g, --grep ip       Search the iptables rules for an IP match (incl. CIDR)

-t, --temp          Displays the current list of temporary IP bans and their TTL

-tr, --temprm ip    Remove an IP address from the temporary IP ban list

-td, --tempdeny ip  ttl [-p port] [-d direction]

                    Add an IP address to the temporary IP ban list. ttl is how

                    long to blocks for in seconds. Optional port. Optional

                    direction of block can be one of in, out or inout. Default

                    is in

-tf, --tempf        Flush all IP addresses from the temporary IP ban list

-u, --update        Checks for updates to csf+lfd and performs an upgrade if

                    available

-x, --disable       Disable csf and lfd

-e, --enable        Enable csf and lfd if previously disabled

-v, --version       Show csf version

CSF is an progressively widespread various to the stock firewalls on some servers. do you have to need the other facilitate or have any questions on CSF please open a price ticket with our support team by work in to your manage account, otherwise you also can visit the CSF home page wherever you’ll notice different documentation and FAQs.

 

 

About the author

Venkatesan Prabu

Venkatesan Prabu

Wikitechy Founder, Author, International Speaker, and Job Consultant. My role as the CEO of Wikitechy, I help businesses build their next generation digital platforms and help with their product innovation and growth strategy. I'm a frequent speaker at tech conferences and events.

Add Comment

Click here to post a comment