ConfigServer Security & Firewall is a popular Linux firewall security suite. It is easy to install, flexible to configure, and secure with extra checks. CSF helps to control exactly what traffic is allowed in and out of the server and to protect the server from malicious attacks.
Preliminary requirements:
CentOS 7, Fedora 23, Ubuntu 16.04, or Debian 8 OS installed
Installation of ConfigServer Security & Firewall
For CentOS / Fedora firstly you need to install the required CSF Perl packages:
yum install perl-libwww-perl.noarch perl-Time-HiRes perl-core -y
For Ubuntu and Debian it is not required. Secondly, download CSF source archive:
wget http://download.configserver.com/csf.tgz
tar xzf csf.tgz
Then we need to run CSF installation script:
cd csf
sh install.sh
After installation run the test in order to make sure that all required iptables modules are installed on your VPS:
perl /usr/local/csf/bin/csftest.pl
If all required iptables modules are installed you will receive such result:
Testing ip_tables/iptable_filter…OK
Testing ipt_LOG…OK
Testing ipt_multiport/xt_multiport…OK
Testing ipt_REJECT…OK
Testing ipt_state/xt_state…OK
Testing ipt_limit/xt_limit…OK
Testing ipt_recent…OK
Testing xt_connlimit…OK
Testing ipt_owner/xt_owner…OK
Testing iptable_nat/ipt_REDIRECT…OK
Testing iptable_nat/ipt_DNAT…OK
RESULT: csf should function on this server
After checking iptables modules we need to enable CSF. For this reason, you may open and edit the configuration file:
vi /etc/csf/csf.conf
You need to change “TESTING” value to zero:
TESTING = “0”
Save the configuration file and execute the following command to restart CSF and reload new changes:
csf -r
This is it, now ConfigServer Security & Firewall is successfully installed on your server.
Enable ConfigServer Security & Firewall Web UI
ConfigServer Security & Firewall provides an in-built Web UI for the managing firewall via a browser. After enabling Web UI you will be able to access the firewall via a specified port and manage it at a graphical interface.
Firstly install Perl modules, required for Web UI:
For CentOS / Fedora execute:
yum install perl-IO-Socket-INET6 perl-Socket6 -y
For Debian / Ubuntu execute:
apt-get
install libio-socket-ssl-perl libcrypt-ssleay-perl libnet-libidn-perl
libio-socket-inet6-perl libsocket6-perl libwww-perl -y
In order to enable Web UI you need to edit the configuration file:
vi /etc/csf/csf.conf
You need to modify the following values:
# 1 to enable, 0 to disable
UI = “1”
# Set this to the port that want to bind this service to. You should configure
# this port to be >1023 and different from any other port already being used
#
# Do NOT enable access to this port in TCP_IN, instead only allow trusted IP’s
# to the port using Advanced Allow Filters (see readme.txt)
UI_PORT = “7777”
# Optionally set the IP address to bind to. Normally this should be left blank
# to bind to all IP addresses on the server.
#
# If the server is configured for IPv6 but the IP to bind to is IPv4, then the
# IP address MUST use the IPv6 representation. For example 1.2.3.4 must use
# ::ffff:1.2.3.4
#
# Leave blank to bind to all IP addresses on the server
UI_IP = “111.111.111.111”
# This should be a secure, hard to guess username
#
# This must be changed from the default
UI_USER = “username”
# This should be a secure, hard to guess password. That is, at least 8
# characters long with a mixture of upper and lowercase characters plus
# numbers and non-alphanumeric characters
#
# This must be changed from the default
UI_PASS = “password”
, where:
* UI – should be “1” for enabled Web UI;
* UI_PORT – port for accessing CSF firewall via browser;
* UI_IP – your server’s IP address. Leave it blank to bind to all IP addresses on the server (e.g. if you have additional IPs);
* UI_USER – username for accessing CSF firewall via browser;
* UI_PASS – password for accessing CSF firewall via browser.
After it adds your public IP to the /etc/csf/ui/ui.allow file in order allow access to CSF Web UI:
echo "your_public_ip_address" >> /etc/csf/ui/ui.allow
Finally restart lfd (Login Failure Daemon) daemon, which uses CSF Web UI:
service lfd restart
Now you could access ConfigServer Security & Firewall Web UI via your server’s IP address and specified earlier port:
https://server_ip_address:port
Note: use HTTPS to access Web UI.
DoS / DDoS attacks prevention with ConfigServer Security & Firewall
It is possible to configure ConfigServer Security & Firewall to prevent VPS from DDoS attacks. In order to enable it you need to edit /etc/csf/csf.conf file. If you have enabled Web UI, you could edit the configuration file via it – just go to the “ConfigServer Firewall” and select “Firewall Configuration”. In another case you need to edit /etc/csf/csf.conf via SSH:
vi /etc/csf/csf.conf
First of all you need to set up a total number of connections allowed from a single host:
CT_LIMIT = “20”
Set connection tracking interval (in seconds):
CT_INTERVAL = “30”
Enable email alerts sending for each blocked IP address:
CT_EMAIL_ALERT =1
Enable permanent IP addresses blocking (“1” to enabled, “0” for disabled):
CT_PERMANENT = 1
If you did not enable permanent IP addresses blocking, you could set an interval (in seconds) within which IP will remain blocked:
CT_BLOCK_TIME = 1800
If you would like to enable it only for specific ports, you need to provide it in CT_PORTS. If you keep it empty, all ports would be checking:
CT_PORTS = “22,23,80,443”
After it you need to restart CSF service and lfd daemon. If you have performed changes via Web UI, just press the button “Restart csf+lfd’. Else execute the following command via SSH:
csf -r && service lfd restart
More information about ConfigServer Security & Firewall could be found here: