This tutorial is designed to guide you with a step-by-step process for installing CSF on AlmaLinux, ensuring that your system is fortified against potential threats. Every system administrator holds the critical responsibility of safeguarding their server against the potential threats and vulnerabilities. ConfigServer Security & Firewall (CSF) is a powerful solution designed to strengthen your server’s security and provide enhanced protection against various types of attacks.
Requirements:
- A server with AlmaLinux 20.04 as the OS.
- User privileges: root or non-root user with sudo privileges.
Steps to Install and Configure CSF on AlmaLinux
Step 1. Update the System
Before installing the CSF, you need to update the system packages to the latest version available.
sudo dnf update -y && sudo dnf upgrade -yStep 2: Download and Install CSF
These are required packages to install on your system.
sudo dnf install epel-release -y
sudo dnf install iptables perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch perl-GDGraph wget tar perl-Math-BigInt -yOnce they are installed, proceed to download the CSF archive from the official source. Navigate to the /usr/src directory to keep things organized.
cd /usr/src
wget https://download.configserver.com/csf.tgzAfter downloading, extract the contents of the archive to access the CSF installation files.
tar zxvf csf.tgzThen, switch to the extracted CSF directory and run the installation script to begin the setup.
cd csf/
sh install.shIf the installation is successful, you’ll see a confirmation message indicating that CSF has been installed correctly.
Don’t forget to:
- Configure the following options in the csf configuration to suite your server: TCP_*, UDP_*
- Restart csf and lfd
- Set TESTING to 0 once you’re happy with the firewall, lfd will not run until you do so
Adding current SSH session IP address to the csf whitelist in csf.allow:
Can't locate lib.pm in @INC (you may need to install the lib module) (@INC contains: /usr/local/lib64/perl5/5.32 /usr/local/share/perl5/5.32 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5) at /usr/sbin/csf line 10.
BEGIN failed--compilation aborted at /usr/sbin/csf line 10.
'lfd.service' -> '/usr/lib/systemd/system/lfd.service'
'csf.service' -> '/usr/lib/systemd/system/csf.service'
Created symlink /etc/systemd/system/multi-user.target.wants/csf.service → /usr/lib/systemd/system/csf.service.
Created symlink /etc/systemd/system/multi-user.target.wants/lfd.service → /usr/lib/systemd/system/lfd.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Created symlink /etc/systemd/system/firewalld.service → /dev/null.
'/etc/csf/csfwebmin.tgz' -> '/usr/local/csf/csfwebmin.tgz'Installation Completed
You can see the first reminder message, conveying the CSF is not properly configured. Before the configuration, we check if the required iptables modules are installed. Execute the command below:
sudo perl /usr/local/csf/bin/csftest.plIf done properly, here is the expected output:
[root@host csf]# sudo perl /usr/local/csf/bin/csftest.pl
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK
RESULT: csf should function on this serverStep 3. Manage the CSF Service
So far, we have just downloaded and installed the CSF. After that, we confirmed that iptables modules are loaded. Next, you have to start and enable the CSF service.
In the previous step, we downloaded and installed the CSF. After that, we confirmed that the iptables modules are loaded. Next is to start and enable the CSF service.
Execute the following command to start and enable CSF.
sudo systemctl start csf.service && sudo systemctl enable csf.serviceTo check the status of the CSF service:
sudo systemctl status csf.serviceYou should receive the following output:
[root@host csf]# sudo systemctl status csfcsf.service - ConfigServer Firewall & Security - csf
Loaded: loaded (/usr/lib/systemd/system/csf.service; enabled; vendor preset: disabled)
Active: active (exited) since Mon 2022-08-08 17:13:49 EDT; 5s ago
Main PID: 6595 (code=exited, status=0/SUCCESS)
Tasks: 0 (limit: 23666)
Memory: 0B
CGroup: /system.slice/csf.service
Aug 08 17:13:49 host.test.vps csf[6595]: csf: FASTSTART loading UDP_IN (IPv4)
Aug 08 17:13:49 host.test.vps csf[6595]: csf: FASTSTART loading UDP_OUT (IPv4)
Aug 08 17:13:49 host.test.vps csf[6595]: ACCEPT all opt -- in lo out * 0.0.0.0/0 -> 0.0.0.0/0
Aug 08 17:13:49 host.test.vps csf[6595]: ACCEPT all opt -- in * out lo 0.0.0.0/0 -> 0.0.0.0/0
Aug 08 17:13:49 host.test.vps csf[6595]: LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
Aug 08 17:13:49 host.test.vps csf[6595]: LOGDROPIN all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
Aug 08 17:13:49 host.test.vps csf[6595]: csf: FASTSTART loading DNS (IPv4)
Aug 08 17:13:49 host.test.vps csf[6595]: LOCALOUTPUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
Aug 08 17:13:49 host.test.vps csf[6595]: LOCALINPUT all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
Aug 08 17:13:49 host.test.vps systemd[1]: Started ConfigServer Firewall & Security - csf.Step 4. Configuring CSF
After the installation process, here is the following output your received.
- Configure the following options in the csf configuration to suite your server: TCP_*, UDP_*
- Restart csf and lfd
- Set TESTING to 0 once you’re happy with the firewall, lfd will not run until you do so.
First add the following ports for TCP in /etc/csf.conf
# Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995"Next, set Testing to 0
# lfd will not start while this is enabled
TESTING = "0"Last but not least, start the LDF service and restart the CSF for the changes to take effect.
sudo systemctl start lfd.service
sudo systemctl restart csf.service
Check the status of the lfd service
sudo systemctl status lfd.serviceYou should receive the following output:
[root@host csf]# systemctl status lfd
lfd.service - ConfigServer Firewall & Security - lfd
Loaded: loaded (/usr/lib/systemd/system/lfd.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2022-08-08 17:31:26 EDT; 13s ago
Process: 6961 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)
Main PID: 6970 (lfd - sleeping)
Tasks: 1 (limit: 23666)
Memory: 124.2M
CGroup: /system.slice/lfd.service
└─6970 lfd - sleepingStep 5. Basic CSF commands
Follow some of these basic commands to enable and disable the CSF. Also, we have mentioned commands for other functionalities.
Enable CSF
csf -e
Whitelist IP address in CSF
csf -a 192.168.1.1
Block IP address in CSF
csf -d 192.168.1.2The current list of temporary allow and deny IP entries with their TTLs and comments is displayed
csf -t
Restart CSF
csf -r
Disable CSF
csf –xConfiguring and installing the CSF (ConfigServer Security & Firewall) on AlmaLinux significantly enhances the server’s security. It provides a comprehensive and customizable firewall solution. Different features like login tracking, port blocking, and intrusion detection, CSF helps administrators monitor and control server access effectively. This tutorial helps in setting up and installing CSF and securing the server.
Once CSF is up and running, it’s crucial to regularly update its rules and monitor logs to stay ahead of potential vulnerabilities. While CSF is powerful out of the box, taking the time to fine-tune its settings to suit your server’s needs can offer even greater protection and performance.
