How To Configure CSF Firewall On Your Server

In this howto i will describe how to install /configure full feature firewall on your server using Config Server Firewall (CSF)  script from http://www.configserver.com. Firewall are the basic need of every server now a days and people trying to protect there server by using different scripts but CSF gives all in one solution. The tools available for the implementing are either over-complex, not user friendly, or simply aren’t as effective as they could be. So that is the reason CSF developed.

You can see the features on following site.

http://www.configserver.com/cp/csf.html

1) Download CSF

[root@server1 ~]# cd /usr/src
[root@server1 src]# wget http://www.configserver.com/free/csf.tgz

2) Install CSF

[root@server1 src]# tar zxvf csf.tgz
[root@server1 csf]# cd csf
[root@server1 csf]# ./install.sh

It will compile and install csf under /etc/csf/ directory, now we will configure it.

3) Configuration

First run following command that you have all the required iptables modules available for running CSF full. Don’t worry if you cannot run all the features, so long as the script doesn’t report any FATAL errors

[root@server1 csf]# perl /etc/csf/csftest.pl
Testing ip_tables/iptable_filter…OK
Testing ipt_LOG…OK
Testing ipt_multiport/xt_multiport…OK
Testing ipt_REJECT…OK
Testing ipt_state/xt_state…OK
Testing ipt_limit/xt_limit…OK
Testing ipt_recent…OK
Testing ipt_owner…OK
Testing iptable_nat/ipt_REDIRECT…OK

RESULT: csf should function on this server

Looks 100% OK.

Now if you are running apf_bfd firewall, it has to be removed for csf works.

[root@server1 csf]# sh /etc/csf/remove_apf_bfd.sh
Removing apf and/or bfd…

/etc/csf/remove_apf_bfd.sh: line 5: apf: command not found
error reading information on service apf: No such file or directory
error reading information on service apf: No such file or directory

…Done

sure i dont use it, so not found.

Now to configure csf config file to implement firewall as per our need.

[root@server1 csf]# vi /etc/csf/csf.conf

The following TAG will run csf in Testing Mode as if we by mistake block ourself out, it will flush all firewall rules in 5 minutes to get us in and fixed it.

TESTING = “1”

We will change it to zero “0” when we finished and sure we have all right rules in.

Put your all ports which you want to be open on your server for incoming traffic seperated by comma.

TCP_IN = “20,21,22,25,53,80,110,143,443,465,587,993,995”

Also open any port you want for outgoing traffic

TCP_OUT = “20,21,22,25,53,80,110,113,443”

Same goes for UDP_IN and UDP_OUT, be remember if you are running DNS service, so you have to open port 53 in UDP_IN as DNS port 53 runs on udp rather than tcp

UDP_IN = “20,21,53”

To allow outgoing traceroute add 33434:33523 to this list

UDP_OUT = “20,21,53,113,123,33434:33523”

If you like to people ping your server without any timout than change following value to zero “0” because default value limit ping 1 per second, which may show you ping timeout and you may have impression of that your server is dropping packets.

ICMP_IN_RATE = “0”

SYNFLOOD protection is already enabled and if you want to change the RATE or BURST value you can use following lines to match your traffic.

SYNFLOOD = “0”
SYNFLOOD_RATE = “100/s”
SYNFLOOD_BURST = “150”

currently the RATE is 100/s and BURST can upto 150. This can be varry from server to server.

To protect your server any specific port from DOS attacks, you can define it in PORTFLOOD tag.  This option limits the number of connections per time interval that new connections can be made to specific ports.

By default its empty and i did like to limit 20 connections per 5 sec to port 80 (webserver).

PORTFLOOD = “80;tcp;20;5”

It defines protect port 80 running on protocol tcp, 20 connections per 5 seconds. Use the same for more ports followed by semmi colon ;.

Define email address to which you need to get alerts and define email address to which you want to get.

LF_ALERT_TO = “

so******@gm***.com











LF_ALERT_FROM = “

cs*@so********.com











This will implement firewall more than you need. It has tons of options and you can edit csf.conf for your need.

After this save the file and restart the csf service.

[root@server1 csf]#  /etc/init.d/csf start

Dont scare of large iptables commands running in 🙂

The CSF will start in Testing mode and now you have to check rules are implement correctly or not and if you have accidently block yourself, wait for 5 minutes and then relogin to fix it.

If you completed with configuation and sure that every rules is implemented correctly then change Testing from 1 to 0 for run CSF permanently.

TESTING = “0”

and restart the service again to activate it.

[root@server1 csf]#  /etc/init.d/csf restart

To allow IP addresses through iptables insert, one IP per line. If want to allow full block use CIDR notation

[root@server1 csf]# vi /etc/csf/csf.allow

192.168.0.1
192.168.1.0/24

These IP should also be define in /etc/csf/csf.ignore to be ignore from lfd daemon from checking.

To deny IP addresses will be allowed through iptables, one IP address per line. If want to deny full block use CIDR notation

[root@server1 csf]# vi /etc/csf/csf.deny

192.168.0.5 #do not delete

The #do not delete option will tell csf to igonore the DENY_IP_LIMIT tag and dont delete ip from this file.

Now you have full feature firewall install and running without any error. The work you have to do now is to re-read /etc/csf/csf.conf file full and check every option it gives and change accordingly to your firewall need. I hope you will now easily edit it and do more with it. If you need any help please comments to benefit for all.

Related Posts

15 thoughts on “How To Configure CSF Firewall On Your Server

  1. Hi,
    As per u told above i m doing exactly the same but when i run squid & firewall simultaneously my squid is not working, when i stop csf my squid is working.

    thanks in advance.

  2. If you want any IP to be permanent allow any service on your server put that IP or Network address in
    /etc/csf/csf.allow
    ————————-
    and like opposite if you want any IP to be permanent deny any service on your server put that IP or Network address in
    /etc/csf/csf.deny
    ————————
    Regards,

  3. Hi sohail,
    After installing squid i install csf firewall, now the squid server is working properly but my thunderbird is not working.
    Please help me.
    Thanks in advance.

  4. Sir, I install the csf successfully and then when I restart the service I get below error
    I think some dependency error.

    and sir at the end how can I confirm that this firewall is working as I need any live log, graphical display. showing allowing incoming/outgoing packets. etc

    [root@localhost csf]# service csf restart
    Stopping csf:Can’t locate Net/CIDR/Lite.pm in @INC (@INC contains: /etc/csf /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.7/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.6/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl/5.8.7 /usr/lib/perl5/site_perl/5.8.6 /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.7/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.6/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl/5.8.7 /usr/lib/perl5/vendor_perl/5.8.6 /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.8/i386-linux-thread-multi /usr/lib/perl5/5.8.8 .) at /usr/sbin/csf line 12.
    BEGIN failed–compilation aborted at /usr/sbin/csf line 12.
    [ OK ]

    Starting csf:Can’t locate Net/CIDR/Lite.pm in @INC (@INC contains: /etc/csf /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.7/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.6/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl/5.8.7 /usr/lib/perl5/site_perl/5.8.6 /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.7/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.6/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl/5.8.7 /usr/lib/perl5/vendor_perl/5.8.6 /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.8/i386-linux-thread-multi /usr/lib/perl5/5.8.8 .) at /usr/sbin/csf line 12.
    BEGIN failed–compilation aborted at /usr/sbin/csf line 12.
    [ OK ]

  5. @Rashid: Install perl module Lite.pm, you can search it on cpan.
    Regarding graphical display it has some display but for that you need to run webmin.
    Check features on its site.
    ————
    Regards,

  6. these dependencies are always be Masla Fesaghrous for
    me..

    sir, Wait for my call.

  7. Sir, perl module tu nahi howa mein n new installation kar li aur csf install ho gia now I will check it in my home
    other problem is that I install dns but now /etc/named.conf file is showing
    where is it

  8. hi, i just installed the csf and i configured it but i like to know more about the commandes like
    it was something like LF_email_when ssh is done
    should we put the value on 0 to activate or the values should remain on 1???
    to activate a command the value should remain 1 or should be changed to 0
    thank you

  9. I have configured csf firewall on my vps. However, My site becomes inaccessible from everywhere when I enable it.
    I have now set 0.0.0.0/0 in csf.allow. I want to fine tune it. Is there any builtin mechanism so that it can ban suspicious IPs.
    I want to show you an email:

    190P Received: from root by server.kmu.edu.pk with local (Exim 4.80.1)
    (envelope-from )
    id 1VbPq6-0006sw-W9
    for

    ro**@se****.pk











    ; Wed, 30 Oct 2013 12:05:25 +0500
    011* From: root
    009* To: root
    027T To:

    ro**@se****.pk












    069 Subject: lfd on server.kmu.edu.pk: blocked 115.47.26.65 (CN/China/-) /* ——- kindly note this
    032F From:
    050I Message-Id:
    038 Date: Wed, 30 Oct 2013 12:05:14 +0500

    Data spool file

    1VbPq6-0006sw-W9-D
    Time: Wed Oct 30 12:05:14 2013 +0500
    IP: 115.47.26.65 (CN/China/-)
    Failures: 5 (smtpauth)
    Interval: 3600 seconds
    Blocked: Permanent Block (IP match in csf.allow, block may not work) / * Look at this line please

    Log entries:

    2013-10-30 11:33:30 fixed_login authenticator failed for (www.saobons.com) [115.47.26.65]:2951: 535 Incorrect authentication data (set_id=

    in**@km*.pk











    )

Leave a Reply

Your email address will not be published. Required fields are marked *