Adding ConfigServer Security and Firewall (CSF) to Centos 8, Alma-Linuxn or Rocky Linux
This tutorial is a continuation of the one I put together for a test server based on Rocky Linux that ran OpenLiteSpeed. As was the case last time, I could not find an online article that worked if you followed the instructions step by step. If you’re looking to install ConfigServer Security & Firewall (CSF) on Rocky Linux, Alma-Linux, or Centos 8 you’ve come to the right place because what I’ve outlined below works.
Installing CSF LFD
CSF / LFD is a Stateful Packet Inspection (SPI) firewall, Login / Intrusion Detection and Security application for Linux servers that is freely distributed. Before installing this on a server, we need to make sure the server software is up to date. We can do this using the sudo command or escalate our privileges for this session using the sudo su command.
$ sudo su
# dnf update
Install any updates, and once that’s done we need to check to make sure we have perl installed
# perl -v
# dnf info perl
Last metadata expiration check: 1:54:32 ago on Fri 15 Apr 2022 02:44:01 PM EDT.
Available Packages
Name : perl
Epoch : 4
Version : 5.26.3
Release : 420.el8
Architecture : x86_64
Size : 72 k
Source : perl-5.26.3-420.el8.src.rpm
Repository : appstream
Summary : Practical Extraction and Report Language
URL : http://www.perl.org/
License : GPL+ or Artistic
Description : Perl is a high-level programming language with roots in C, sed, awk and shell
: scripting. Perl is good at handling processes and files, and is especially
: good at handling text. Perl's hallmarks are practicality and efficiency.
: While it is used to do a lot of different things, Perl's most common
: applications are system administration utilities and web programming.
:
: This is a metapackage with all the Perl bits and core modules that can be
: found in the upstream tarball from perl.org.
:
: If you need only a specific feature, you can install a specific package
: instead. E.g. to handle Perl scripts with /usr/bin/perl interpreter,
: install perl-interpreter package. See perl-interpreter description for more
: details on the Perl decomposition into packages.
In the above we note the second line says Available Packages. Since perl isn’t installed on this machine, let’s install it.
# dnf install perl
Once the installation process is over, let’s check to make sure everything is installed correctly.
# dnf info perl
Last metadata expiration check: 1:55:52 ago on Fri 15 Apr 2022 02:44:01 PM EDT.
Installed Packages
Name : perl
Epoch : 4
Version : 5.26.3
As indicated in the above perl 5.26.3 is installed on the server. At this point, we are ready to start installing CSF. To do this, we need to switch to the correct directory.
# cd /usr/src
We want a fresh install, so lets make sure we remove any old version that might be on the server for some reason.
# rm -fv csf.tgz
Now we need to install wget (if it’s not installed already) so we can retrieve CSF.
# dnf install wget
Now it’s time to download the latest version of CSF.
# wget https://download.configserver.com/csf.tgz
Let’s unpack the tarball.
# tar -xzf csf.tgz
At this point, we can go to the CSF directory and run the installation script.
# cd csf
# sh install.sh
Once this is complete, you should see: Installation Completed.
The next step is to test the installation and make sure it will work on the server.
# perl /usr/local/csf/bin/csftest.pl
Once again, you want to see
RESULT: csf should function on this server
Before you configure CSF, you need to make sure you don’t have another firewall running.
# systemctl stop firewalld
And you want to disable it so it doesn’t start the next time the server boots.
# systemctl disable firewalld
At this point, it is time to start configuring CSF. In this example, I am using the nano editor.
# cd /etc/csf/
# nano csf.conf
Once in the nano editor, there are a lot of options to read through and configure, depending on the ports you need open and how the server will be used. One important change to make is to get out of the testing mode, so right in the beginning of the file, set the following:
TESTING = "0"
Once CSF and LFD are configured, it’s time to start CSF and LFD services
# systemctl start csf
# systemctl start lfd
We also want to make sure they start up each time we boot the server.
# systemctl enable csf
# systemctl enable lfd
Finally, in the event you run into any problems, here is a CSF cheat sheet:
CSF Command | Description |
csf -e | Enable CSF |
csf -x | Disable CSF |
csf -s | Start the server’s firewall rules |
csf -f | Flush/Stop server’s firewall rules |
csf -r | Restart the server’s firewall rules |
csf -a [IP Address] [Optional Comment] | Allow an IP by adding it to /etc/csf/csf.allow |
csf -td [IP Address] [Optional Comment] | Temporarily deny an IP by adding it to /var/lib/csf/csf.tempban |
csf -tr [IP Address] | Remove an IP from the temporary ban or allow list |
csf -tf | Flush all IPs from the temporary ban or allow list |
csf -d [IP Address] [Optional Comment] | Deny an IP by adding it to /etc/csf/csf.deny |
csf -dr [IP Address] | Unblock an IP by removing it from /etc/csf/csf.deny |
csf -df | Remove and unblock all entries in /etc/csf/csf.deny |
csf -g [IP Address] | Search the iptables rules for a match |
csf -t | Displays a list of temporary allow and deny IP entries |