What is Configserver Security and Firewall (CSF)
Configserver Security and Firewall is the most commonly used advanced firewall in Linux servers. It is used for Login/Intrusion detection, SSH login notification, Excessive connection blocking, Suspicious file reporting etc.
In this tutorial, we will go through the installation of CSF in Linux Server (CentOS) and also the basic and most important configuration options in CSF configuration.
Installing & Configuring CSF
CSF provides installaion script with which we can install the CSF package in a single execution of the script. We just have to download the installation script and install it.
Here are the steps for installing CSF:
#Change working directory to the desired installation directory
#Remove the existing package archive
rm -fv csf.tgz
#Download the package which contains the install script
#Extract the archive
tar -xzf csf.tgz
#Change working directory to the CSF directory which contains the installation script
#Execute the installation script
This will install CSF in the server and you can allow/deny IPs, ports etc with ‘csf’ command. There are many other options as well and we will see that later as we progress.
To test if CSF will work in the server can be found by running,
You can refer the screenshot given below to see the output if all the required IPtables modules are present in the server
Please note that you need to have perl installed in the server for executing this script and if it is not installed in the server you can install it by,
yum install perl
If there are any FATAL errors reported, this installation is not going to work, so you need to have the errors fixed.
Also make sure there are no other IPTABLES firewall configuration script installed. If you have installed APF + BFD previously, you can remove them by running the script given below.
Now CSF is installed but by default CSF is installed in ‘Testing’ mode, to change this you need to make the following change in the CSF configuration file.
Edit the calue as shown below.
TESTING = "0"
You can restart csf service with,
With this CSF will be active and running. We can now move to the basic security settings in CSF configuration file (/etc/csf/csf.conf).
Allowing TCP and UDP Incoming and Outgoing Ports
Since attackers often exploit the open ports in the server, it is advised to only keep the necessary ports open and denying access to all the the other ports. This can be done by allowing the necesary and commonly used TCP and UDP ports in the CSF configuration file. All the other ports will be closed and attempts to acess the unallowed ports will be blocked by CSF.
Below given is the section in the configuration file where you can allow the incoming and outgoing TCP and UDP ports.
# Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"
# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995"
# Allow incoming UDP ports
UDP_IN = "20,21,53"
# Allow outgoing UDP ports
UDP_OUT = "20,21,53,113,123"
Port Flood Protection
This is used to protect the server from port flood attacks, i.e, flooding the common ports with huge number of connections and thereby denying or hanging up the services listening to those ports.
With this option, we can set the maximum number of connections a port can connect to and the new connections after this limit will be blocked by the firewall. Syntax of PORTFLOOD field is as given below.
PORTFLOOD = “port;protocol;hit_count;interval_in_seconds”
You can add multiple ports separated by commas.
Here is an example for enabling port flood protection.
PORTFLOOD = “80;tcp;50;10”
This means that if the number of connections to port 80 exceeds 50 in ten seconds, all the new connections will be blocked.
Connection Limit Protection
This option allows us to set maximum number of concurrent connections to a particular open port in the server from a single IP. This is intended for protection from denial of service attacks like DoS.
CONNLIMIT = “port;limit”
We can set connection limits for multiple ports separated by comma. Here is an example:
CONNLIMIT = "80;10,21;2"
This means, the maximum concurrent connections to port 80 (HTTP) from a single IP is 10 and to port 21 (FTP) per IP is 2.
This option allows us to set maximum number of all connections from a single IP addresses to the server. If the total number of connections from thet IP address is greater than the set value then the offending IP address is blocked. This also provides protection against denial of service attacks like Dos attacks.
Here are the examples of CT options in the configuration.
CT_LIMIT = “100”
All IPs with more than 200 connections will be blocked.
CT_PERMANENT = “1”
IPs with excess connection limit will blocked permanenty
CT_BLOCK_TIME = “3600”
This is to set the time period of the IP block for excessive connection limit. Above setting will block th eIP with excess connections for 3600 seconds or 1 hour.
CT_INTERVAL = “60”
This value sets the interval in seconds between the Connection Tracking scans and in the above example the scans will take place with 60 seconds.
These are the basic security settings. There are lot of advanced options like,
PACKET_FILTER – To drop invaid packets.
SYNFLOOD – To drop tcp SYN packet DOS attempts(Recommended only if you are under DoS attack)
ICMP_IN and ICMP_OUT – To Allow/Deny incoming and outgoing ping (ICMP) packets.
Syslog and RESTRICT_SYSLOG – To enable logging login failures to syslog and rsyslog, etc.
Useful csf command options
Block an IP with CSF
csf -d < IP Address >
Allow an IP with CSF
csf -a < IP Address >
Unblock an IP with CSF
csf -dr < IP Address >
Unblock a temporarily blocked IP with CSF
csf -tr < IP Address >
Replace <IP Address > with the actual IP Address of the user connecting to the server.
csf -s – Start firewall rules
csf -f – Flush/stop firewall rules
csf -r – Restart firewall rules
csf -x – Disable CSF
csf -e – Enable CSF
csf -c – Check for updates
csf -h – Show help screen
So there you have it. A step by step guide to to allow you to install and configure CSF in a Dedicated Server or Linux VPS.