CSF or “Config Server Firewall” is a web-based and command-line firewall tool for Linux and Unix operating systems. It offers a simple, easy-to-use, advanced web-based interface to configure and manage firewall settings. CSF comes with Login Failure Daemon (LFD) to view user activity due to excessive login failures. If a large number of login failures are seen coming from the same IP address, that IP will immediately be temporarily blocked from all services on your server. CSF can defend your server against many types of attacks like port scans, SYN floods, and login brute force attacks on many services.
In this post, we will show you how to install and configure the CSF firewall on Oracle Linux 8.
- Server running Oracle Linux 8 on the Atlantic.Net Cloud Platform
- A root password configured on your server
Step 1 – Create Atlantic.Net Cloud Server
First, log in to your Atlantic.Net Cloud Server. Create a new server by choosing Oracle Linux 8 as the operating system with at least 2GB of RAM. Connect to your Cloud Server via SSH and log in using the credentials highlighted at the top of the page.
Once you are logged in to your server, run the following command to update your base system with the latest available packages.
dnf update -y
Step 2 – Install CSF on Oracle Linux 8
CSF is written in Perl, so you will need to install all the required Perl modules on your system. You can install all of them with the following command:
dnf install @perl perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch bind-utils net-tools -y
After installing all the required modules, download the latest version of CSF using the following command:
Once the download is completed, extract the downloaded file with the following command:
tar xzf csf.tgz
Next, navigate to the extracted directory and install the CSF with the following command:
cd csf sh install.sh
Once CSF is installed, you will get the following output:
Don't forget to: 1. Configure the following options in the csf configuration to suite your server: TCP_*, UDP_* 2. Restart csf and lfd 3. Set TESTING to 0 once you're happy with the firewall, lfd will not run until you do so Adding current SSH session IP address to the csf whitelist in csf.allow: Adding 184.108.40.206 to csf.allow only while in TESTING mode (not iptables ACCEPT) *WARNING* TESTING mode is enabled - do not forget to disable it in the configuration 'lfd.service' -> '/usr/lib/systemd/system/lfd.service' 'csf.service' -> '/usr/lib/systemd/system/csf.service' Created symlink /etc/systemd/system/multi-user.target.wants/csf.service → /usr/lib/systemd/system/csf.service. Created symlink /etc/systemd/system/multi-user.target.wants/lfd.service → /usr/lib/systemd/system/lfd.service. Created symlink /etc/systemd/system/firewalld.service → /dev/null. '/etc/csf/csfwebmin.tgz' -> '/usr/local/csf/csfwebmin.tgz' Installation Completed
Next, verify if all the required iptables modules are available.
dnf install perl -y perl /usr/local/csf/bin/csftest.pl
If everything is fine, you will get the following output:
Testing ip_tables/iptable_filter...OK Testing ipt_LOG...OK Testing ipt_multiport/xt_multiport...OK Testing ipt_REJECT...OK Testing ipt_state/xt_state...OK Testing ipt_limit/xt_limit...OK Testing ipt_recent...OK Testing xt_connlimit...OK Testing ipt_owner/xt_owner...OK Testing iptable_nat/ipt_REDIRECT...OK Testing iptable_nat/ipt_DNAT...OK RESULT: csf should function on this server
You can now check the CSF version using the following command:
You will get the following output:
*WARNING* URLGET set to use LWP but perl module is not installed, fallback to using CURL/WGET csf: v14.16 (generic) *WARNING* TESTING mode is enabled - do not forget to disable it in the configuration
Step 3 – Configure CSF
By default, CSF’s main configuration file is located at /etc/csf/csf.conf. You will need to edit and change all settings per your requirements:
Change TESTING = “1” to TESTING = “0” and add allowed incoming and outgoing ports per your requirements:
# lfd will not start while this is enabled TESTING = "0" # Allow incoming TCP ports TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995" # Allow outgoing TCP ports TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995"
Save and close the file when you are finished. Then, start and enable the CSF and LFD services:
systemctl start csf lfd systemctl enable csf lfd
You can check the status of CSF with the following command:
systemctl status csf
You should see the following output:
● csf.service - ConfigServer Firewall & Security - csf Loaded: loaded (/usr/lib/systemd/system/csf.service; enabled; vendor preset: disabled) Active: active (exited) since Tue 2022-06-28 10:52:28 EDT; 6s ago Process: 8973 ExecStart=/usr/sbin/csf --initup (code=exited, status=0/SUCCESS) Main PID: 8973 (code=exited, status=0/SUCCESS) Tasks: 0 (limit: 11409) Memory: 0B CGroup: /system.slice/csf.service Jun 28 10:52:27 oraclelinux8 csf: csf: FASTSTART loading UDP_IN (IPv4) Jun 28 10:52:27 oraclelinux8 csf: csf: FASTSTART loading UDP_OUT (IPv4) Jun 28 10:52:27 oraclelinux8 csf: ACCEPT all opt -- in lo out * 0.0.0.0/0 -> 0.0.0.0/0 Jun 28 10:52:28 oraclelinux8 csf: ACCEPT all opt -- in * out lo 0.0.0.0/0 -> 0.0.0.0/0 Jun 28 10:52:28 oraclelinux8 csf: LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 Jun 28 10:52:28 oraclelinux8 csf: LOGDROPIN all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 Jun 28 10:52:28 oraclelinux8 csf: csf: FASTSTART loading DNS (IPv4) Jun 28 10:52:28 oraclelinux8 csf: LOCALOUTPUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 Jun 28 10:52:28 oraclelinux8 csf: LOCALINPUT all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 Jun 28 10:52:28 oraclelinux8 systemd: Started ConfigServer Firewall & Security - csf.
You can also check the ports that are open when CSF is running using the following command:
Ports listening for external connections and the executables running behind them: Port/Proto Open Conn PID/User Command Line Executable 22/tcp 4/- 1 (916/root) /usr/sbin/sshd -D -oCiphers=aes256-g... /usr/sbin/sshd 80/tcp 4/- - (2799/caddy) /usr/bin/caddy run --environ --confi... /usr/bin/caddy 323/udp -/- - (559/chrony) /usr/sbin/chronyd /usr/sbin/chronyd
Step 4 – How to Use CSF
To flush all CSF rules, run the following command:
To reload the CSF firewall, run the following command:
To allow incoming connections from a specific IP, run the following command:
csf -a remote-ip-address
To deny connections from a specific IP, run the following command:
csf -d remote-ip-address
You can also edit the csf.deny and csf.allow file to define the list of allowed and denied IPs on the firewall.
Step 5 – Enable CSF UI
CSF also provides a web-based interface to manage the firewall. It is disabled by default.
Before enabling CSF UI, install the required modules with the following command:
dnf install perl-IO-Socket-SSL perl-Net-SSLeay perl-IO-Socket-INET6 perl-Socket -y
Next, edit the CSF configuration file:
Enable the UI, define the listening port, set the admin username and password as shown below:
# 1 to enable, 0 to disable web ui UI = "1" # Set port for web UI. The default port is 6666, but # I change this to 1025 to easy access. Default port create some issue # with popular chrome and firefox browser (in my case) UI_PORT = "8080" # Leave blank to bind to all IP addresses on the server UI_IP = "" # Set username for authetnication UI_USER = "admin" # Set a strong password for authetnication UI_PASS = "securepassword" UI_ALLOW = "0"
Save and close the file, then restart the CSF and LFD service to apply the changes:
systemctl restart lfd systemctl restart csf
Step 6 – Access CSF UI
Now, open your web browser and access the CSF UI using the URL https://your-server-ip:8080. You should see the CSF login page:
Provide your admin username and password and click on the Login button. You should see the CSF web interface on the following screen:
Step 7 – Remove CSF Firewall
If you want to remove the CSF firewall completely from your server, just run the following script:
This will remove the CSF firewall with all files, directories, and rules created by CSF.
In the above guide, we explained how to install CSF and CSF UI on Oracle Linux 8. We also explained how to ban and unban specific IP addresses with CSF. You can now implement CSF to your server and secured it from the various type of attacks. Try it on VPS hosting from Atlantic.Net!