Introduction
Config Server Firewall (or CSF) is a free and advanced firewall for most Linux distributions and Linux based VPS. In addition to the basic functionality of a firewall – filtering packets – CSF includes other security features, such as login/intrusion/flood detections.
As mentioned CSF includes UI integration for cPanel, DirectAdmin and Webmin, but this tutorial only covers the command line usage. CSF is able to recognize many attacks, such as port scans, SYN floods, and login brute force attacks on many services. It is configured to temporarily block clients who are detected to be attacking the cloud server.
The full list of supported operating systems and features can be found on ConfigServer’s website.
Installing ConfigServer Firewall
- First we need to make sure that perl is installed
yum install wget vim perl-libwww-perl.noarch perl-Time-HiRes
- Then we can go ahead and download CSF
cd /usr/src/
wget https://download.configserver.com/csf.tgz
- The next step is to extract the downloaded tar archive and run the install script:
tar -xzf csf.tgz
cd csf
sh install.sh
Configure CSF
- CentOS 7 has a default firewall application called “firewalld”. You have to stop firewalld and remove it from the startup.
Stop firewalld:
systemctl stop firewalld
and disable it:
systemctl disable firewalld
- Now we can enable CSF disabling the default TESTING state:
cd /etc/csf/
next open the csf.conf file using your favourite text editor - vim, vi ,nano and etc
vim csf.conf
On line 11 you will see that the “TESTING ” is set to “1” , make sure this is set to “0”
TESTING = "0"
- Now we can start and enable both
lfdandcsf
`systemctl start csf
systemctl start lfd
systemctl enable csf
systemctl enable lfd
- As mentioned CSF can be configured by editing its configuration file csf.conf in
/etc/csf:
The less access there is to your VPS, the more secure your server is. However, not all ports can be closed as the clients must be able to use your services.
The ports opened by default are the following:
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"
TCP_OUT = "20,21,22,25,53,80,110,113,443"
UDP_IN = "20,21,53"
UDP_OUT = "20,21,53,113,123"
It is possible that you are not using all of these services, so you can close the ports that are not used. I would recommend closing all ports (removing port number form the list), and then adding the ports you need.
Below are port sets that should be opened if you are running the listed service:
On any server:
TCP_IN: 22,53
TCP_OUT: 22,53,80,113,443
UPD_IN: 53
UPD_OUT: 53,113,123
- CSF offers a vast number of different options in its configuration files. Some of the most commonly used settings are explained below.
ICMP_IN Setting ICMP_IN to 1 allows ping to your server and 0 refuses are such requests. If you are hosting any public services, it is recommended to allow ICMP requests, as these can be used to determine whether or not your service is available.
ICMPINLIMIT Sets the number of ICMP (ping) requests allowed from one IP address within a specified amount of time. There is usually no need to change the default value (1/s)
DENYIPLIMIT Sets the number of blocked IP addresses CSF keeps track of. It is recommended to limit the number of denied IP addresses as having too many blocks may slow down the server performance.
DENYTEMPIP_LIMIT Same as above, but for temporary IP address blocks.
PACKET_FILTER Filter invalid, unwanted and illegal packets.
SYNFLOOD, SUNFLOODRATE and SYNFLOODBURST This offers protection against SYN flood attacks. This slows down the initialization of every connection, so you should enable this only if you know that your server is under attack.
- Applying the Changes
Whenever you are altering the settings in csf.conf, you should save the files and restart CSF in order for the changes to take effect.
Once you are ready with the configuration, close and save the file.
After this, you should apply the changes by restarting CSF with command:
csf -r
Additionally CSF can be configured to track processes in order to detect suspicious processes or open network ports, and send an email to the system administrator if any is detected. This may help you to identify and stop a possible exploit on your VPS. In order to set this open the csf.conf file and change the value from 0 to 1 for the following features:
LF_SSH_EMAIL_ALERT = "1"
LF_SU_EMAIL_ALERT = "1"
also change the email address:
LF_ALERT_TO = "[email protected]"
CSF usage
- In order to start the Firewall:
csf -s
- In order to flush or stop the Firewall rules:
csf -f
- In order to reload the current rules:
csf -r
- In order to allow IP and add it to the
/etc/csf/csf.allow
csf -a 1.1.1.1
- In order to deny an IP and add it to the
/etc/csf/csf.deny
csf -d 1.1.1.1
- In order to deny an IP address temporary for an hour:
csf -td 1.1.1.1
CSF provide an option to allow and deny access by country using the CIDR (Country Code).
In order to list more than one country you just need to separate them using comas:
CC_DENY = "AB,CD,EF"
You may find a list of ISO 3166-1 alpha-2 codes at https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2
Conclusion
CSF is an application firewall for iptables provided for Linux servers which is easy to install and operate and on top of that comes with a lot of handy build-in options which you can use to make sure the security on your droplet is properly configured.
Comments