Installing CSF on Centos 8

Adding ConfigServer Security and Firewall (CSF) to Centos 8, Alma-Linux or Rocky Linux

This tutorial is a continuation of the one I put together for a test server based on Rocky Linux that ran OpenLiteSpeed. As was the case last time, I could not find an online article that worked if you followed the instructions step by step. If you’re looking to install ConfigServer Security & Firewall (CSF) on Rocky Linux, Alma-Linux, or Centos 8 you’ve come to the right place because what I’ve outlined below works.

Installing CSF LFD

CSF / LFD is a Stateful Packet Inspection (SPI) firewall, Login / Intrusion Detection and Security application for Linux servers that is freely distributed. Before installing this on a server, we need to make sure the server software is up to date. We can do this using the sudo command or escalate our privileges for this session using the sudo su command.

$ sudo su

# dnf update

Install any updates, and once that’s done we need to check to make sure we have perl installed

# perl -v

# dnf info perl

Last metadata expiration check: 1:54:32 ago on Fri 15 Apr 2022 02:44:01 PM EDT.
Available Packages
Name         : perl
Epoch        : 4
Version      : 5.26.3
Release      : 420.el8
Architecture : x86_64
Size         : 72 k
Source       : perl-5.26.3-420.el8.src.rpm
Repository   : appstream
Summary      : Practical Extraction and Report Language
URL          : http://www.perl.org/
License      : GPL+ or Artistic
Description  : Perl is a high-level programming language with roots in C, sed, awk and shell
             : scripting. Perl is good at handling processes and files, and is especially
             : good at handling text. Perl's hallmarks are practicality and efficiency.
             : While it is used to do a lot of different things, Perl's most common
             : applications are system administration utilities and web programming.
             :
             : This is a metapackage with all the Perl bits and core modules that can be
             : found in the upstream tarball from perl.org.
             :
             : If you need only a specific feature, you can install a specific package
             : instead. E.g. to handle Perl scripts with /usr/bin/perl interpreter,
             : install perl-interpreter package. See perl-interpreter description for more
             : details on the Perl decomposition into packages.

In the above we note the second line says Available Packages. Since perl isn’t installed on this machine, let’s install it.

# dnf install perl

Once the installation process is over, let’s check to make sure everything is installed correctly.

# dnf info perl

Last metadata expiration check: 1:55:52 ago on Fri 15 Apr 2022 02:44:01 PM EDT.
Installed Packages
Name         : perl
Epoch        : 4
Version      : 5.26.3

As indicated in the above perl 5.26.3 is installed on the server. At this point, we are ready to start installing CSF. To do this, we need to switch to the correct directory.

# cd /usr/src

We want a fresh install, so lets make sure we remove any old version that might be on the server for some reason.

# rm -fv csf.tgz

Now we need to install wget (if it’s not installed already) so we can retrieve CSF.

# dnf install wget

Now it’s time to download the latest version of CSF.

# wget https://download.configserver.com/csf.tgz

Let’s unpack the tarball.

# tar -xzf csf.tgz

At this point, we can go to the CSF directory and run the installation script.

# cd csf

# sh install.sh

Once this is complete, you should see: Installation Completed.

The next step is to test the installation and make sure it will work on the server.

# perl /usr/local/csf/bin/csftest.pl

Once again, you want to see

RESULT: csf should function on this server

Before you configure CSF, you need to make sure you don’t have another firewall running.

# systemctl stop firewalld

And you want to disable it so it doesn’t start the next time the server boots.

# systemctl disable firewalld

At this point, it is time to start configuring CSF. In this example, I am using the nano editor.

# cd /etc/csf/

# nano csf.conf

Once in the nano editor, there are a lot of options to read through and configure, depending on the ports you need open and how the server will be used. One important change to make is to get out of the testing mode, so right in the beginning of the file, set the following:

TESTING = "0"

Once CSF and LFD are configured, it’s time to start CSF and LFD services

# systemctl start csf
# systemctl start lfd

We also want to make sure they start up each time we boot the server.

# systemctl enable csf
# systemctl enable lfd

Finally, in the event you run into any problems, here is a CSF cheat sheet:

CSF CommandDescription
csf -eEnable CSF
csf -xDisable CSF
csf -sStart the server’s firewall rules
csf -fFlush/Stop server’s firewall rules
csf -rRestart the server’s firewall rules
csf -a [IP Address] [Optional Comment]Allow an IP by adding it to /etc/csf/csf.allow
csf -td [IP Address] [Optional Comment]Temporarily deny an IP by adding it to /var/lib/csf/csf.tempban
csf -tr [IP Address]Remove an IP from the temporary ban or allow list
csf -tfFlush all IPs from the temporary ban or allow list
csf -d [IP Address] [Optional Comment]Deny an IP by adding it to /etc/csf/csf.deny
csf -dr [IP Address]Unblock an IP by removing it from /etc/csf/csf.deny
csf -dfRemove and unblock all entries in /etc/csf/csf.deny
csf -g [IP Address]Search the iptables rules for a match
csf -tDisplays a list of temporary allow and deny IP entries