[CSF] Install ConfigServer Security & Firewall Application

Anastasija
Anastasija
ConfigServer Security & Firewall is a popular Linux firewall security suite. It is easy to install, flexible to configure, and secure with extra checks. CSF helps to control exactly what traffic is allowed in and out of the server and to protect the server from malicious attacks.

Preliminary requirements:

CentOS 7, Fedora 23, Ubuntu 16.04 or Debian 8 OS installed

Installation of ConfigServer Security & Firewall


For CentOS / Fedora firstly you need to install required for CSF Perl packages:

yum install perl-libwww-perl.noarch perl-Time-HiRes perl-core -y

For Ubuntu and Debian it is not required. Secondly download CSF source archive:

wget http://download.configserver.com/csf.tgz
tar xzf csf.tgz


Then we need to run CSF installation script:

cd csf
sh install.sh


After installation run the test in order to make sure that all required iptables modules are installed on your VPS:

perl /usr/local/csf/bin/csftest.pl

If all required iptables modules are installed you will receive such result:

Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

RESULT: csf should function on this server
After checking iptables modules we need to enable CSF. For this reason you may open and edit configuration file:

vi /etc/csf/csf.conf

You need to change "TESTING" value to the zero:

TESTING = "0"
Save configuration file and execute the following command to restart CSF and reload new changes:

csf -r

This is it, now ConfigServer Security & Firewall is successfully installed to your server.

Enable ConfigServer Security & Firewall Web UI


ConfigServer Security & Firewall provides in-built Web UI for the managing firewall via browser. After enabling Web UI you will be able to access firewall via specified port and manage it at graphical interface.

Firstly install Perl modules, required for Web UI:

For CentOS / Fedora execute:

yum install perl-IO-Socket-INET6 perl-Socket6 -y

For Debian / Ubuntu execute:

apt-get install libio-socket-ssl-perl libcrypt-ssleay-perl libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl libwww-perl -y

In order to enable Web UI you need to edit configuration file:

vi /etc/csf/csf.conf

You need to modify following values:

# 1 to enable, 0 to disable
UI = "1"

# Set this to the port that want to bind this service to. You should configure
# this port to be >1023 and different from any other port already being used
#
# Do NOT enable access to this port in TCP_IN, instead only allow trusted IP's
# to the port using Advanced Allow Filters (see readme.txt)
UI_PORT = "7777"

# Optionally set the IP address to bind to. Normally this should be left blank
# to bind to all IP addresses on the server.
#
# If the server is configured for IPv6 but the IP to bind to is IPv4, then the
# IP address MUST use the IPv6 representation. For example 1.2.3.4 must use
# ::ffff:1.2.3.4
#
# Leave blank to bind to all IP addresses on the server
UI_IP = "111.111.111.111"

# This should be a secure, hard to guess username
#
# This must be changed from the default
UI_USER = "username"

# This should be a secure, hard to guess password. That is, at least 8
# characters long with a mixture of upper and lowercase characters plus
# numbers and non-alphanumeric characters
#
# This must be changed from the default
UI_PASS = "password"
, where:

* UI - should be "1" for enabled Web UI;
* UI_PORT - port for accessing CSF firewall via browser;
* UI_IP - your server's IP address. Leave it blank to bind to all IP addresses on the server (e.g. if you have additional IPs);
* UI_USER - username for accessing CSF firewall via browser;
* UI_PASS - password for accessing CSF firewall via browser.

After it  add your public IP to the /etc/csf/ui/ui.allow file in order allow access to CSF Web UI:

echo "your_public_ip_address" >>  /etc/csf/ui/ui.allow

Finally restart lfd (Login Failure Daemon) daemon, which uses CSF Web UI:

service lfd restart

Now you could access ConfigServer Security & Firewall Web UI via your server's IP address and specified earlier port:

https://server_ip_address:port

Note: use HTTPS to access Web UI.




DoS / DDoS attacks prevention with ConfigServer Security & Firewall


It is possible to configure ConfigServer Security & Firewall to prevent VPS from small and limited DDoS attacks. In order to enable it you need to edit /etc/csf/csf.conf file. If you have enabled Web UI, you could edit configuration file via it - just go to the "ConfigServer Firewall" and select "Firewall Configuration". In another case you need to edit /etc/csf/csf.conf via SSH:

vi /etc/csf/csf.conf

First of all you need to set up total number of connections allowed from single host:

CT_LIMIT = "20"
Set connection tracking interval (in seconds):

CT_INTERVAL = "30"
Enable email alerts sending for each blocked IP address:

CT_EMAIL_ALERT =1
Enable permanent IP addresses blocking ("1" to enabled, "0" for disabled):

CT_PERMANENT = 1
If you did not enable permanent IP addresses blocking, you could set interval (in seconds) within which IP will remained blocked:

CT_BLOCK_TIME = 1800
If you would like to enable it only for specific ports, you need to provide it in CT_PORTS. If you keep it empty, all ports would be checking:

CT_PORTS = "22,23,80,443"



After it you need to restart CSF service and lfd daemon. If you have performed changes via Web UI, just press button "Restart csf+lfd'. Else execute following command via SSH:

csf -r && service lfd restart

More information about ConfigServer Security & Firewall could be found here:

https://www.configserver.com/cp/csf.html

Sign In or Register to comment.
© 2013 - 2017 Time4VPS. All rights reserved. Powered by Vanilla
The opinions or views of users on the forum are those of the author and not of Time4VPS.