Installation CSF Firewall on CentOS


The guide below is applicable to systems running CentOS 6, CentOS 7 and CentOS 8.

The ConfigServer Security & Firewall is a popular open source Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application, compatible with most Linux servers.

CSF can be fully configured to block/restrict ports you don't want open. CSF includes the Login Failure Daemon (LFD), which will scan log files and monitor failed login attempts, such as login attempts for FTP and E-Mail accounts, and it will block the IP according to the rules you have setup. CSF also offers Connection Limiting, Real Time Block Lists and Port Scan tracking and much more.

CSF can be easily managed from within its GUI, which is fully compatible with:

  • DirectAdmin
  • CPanel
  • WebMin/Virtualmin.

In order to avoid any conflicts in operation it is important to remove your current firewall. If you are using a different software firewall be sure to follow that programs uninstall directions before continuing. After completing the uninstallation routine continue with the CSF installation procedure outlined below.

 

 

 

1. Installation

1.1 Install Dependencies

Begin by installing the required dependencies for the CSF Firewall:

 

CentOS, RHEL 5 and 6

yum install perl-libwww-perl

Alternatively, libwww can be installed using CPAN:

perl -MCPAN -e 'install Bundle::LWP'

 

CentOS, RHEL 7

yum -y install wget perl unzip net-tools perl-libwww-perl perl-LWP-Protocol-https perl-GDGraph -y

 

Alma Linux, Rocky Linux, Oracle Linux, CentOS, RHEL 8

yum -y install wget perl unzip net-tools perl-libwww-perl perl-LWP-Protocol-https perl-GDGraph ipset bind-utils -y

 

Install PERL.

sudo dnf -y install @perl

 

Install the CSF Firewall using the automated script. Alternatively manual installation as described below is also possible.

curl -SL https://download.configserver.com/csf.tgz | tar -xzf -

 

1.2 Install CSF Firewall

Download the CSF archive to the /tmp folder of your server by using wget, unpack the archive by issuing the TAR command and finally install CSF by starting the ./install.sh setup script.

cd /tmp
wget https://download.configserver.com/csf.tgz
tar zxvf csf.tgz
cd csf
./install.sh


You can now remove the installation files:

rm -rf /tmp/csf
rm /tmp/csf.tgz

 

1.3 Install Webmin Module (optional)

  1. Install csf as above
  2. Login to Webmin
  3. Install the csf webmin module by navigating to:
    Webmin > Webmin Configuration > Webmin Modules
  4. Select "From local file" and enter: /usr/local/csf/csfwebmin.tgz
  5. Install the module

The plugins for DirectAdmin or cPanel are installed automatically.

 

1.4 Disable FirewallD (CentOS 7+)

Before stepping into the CSF configuration process, the first thing you must know is that "CentOS 7" has a default firewall application called "firewalld". You have to stop firewalld and remove it from startup.

Stop firewalld by entering the following command:

systemctl stop firewalld

Disable/Remove firewalld from startup:

systemctl disable firewalld

 

 

2. Test IPtables

This test is recommended to double check that the correct iptables modules are installed. The test can be invoked by issuing the command below, or by going to the "test iptables" section, which can be found at the bottom of the CSF Graphic interface. If you find that not all required modules are installed, you need to work on getting them installed.

This procedure is outside the scope of this article and may require a kernel change on your dedicated server. Those operating an OpenVZ based Virtual Private Server will need to contact their host to get this setup correctly.

$ /etc/csf/csftest.pl
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK
 
RESULT: csf should function on this server

 

 

3. Configuration

The configuration of your CSF Firewall installation can be maintained by editing the various config files CSF ships with. On Red Hat Enterprise Linux (RHEL) based distributions these can be found in the following location:/etc/csf/

The configuration files include:

  • csf.conf - the main configuration file, it has helpful comments explaining what each option does
  • csf.allow - a list of IP's and CIDR addresses that should always be allowed through the firewall
  • csf.deny - a list of IP's and CIDR addresses that should never be allowed through the firewall
  • csf.ignore - a list of IP's and CIDR addresses that lfd should ignore and not block if detected
  • csf.*ignore - various ignore files that list files, users, IP's that lfd should ignore. See each file for their specific purpose

If you modify any of the files listed above, you will need to restart csf to have them take effect. If you use the command line options to add or deny IP addresses, then csf automatically does this for you.

However, for the average user it is far quicker to make use of its Graphic Interface (GUI), which can be accessed from within your DirectAdmin, CPanel or Webmin/Virtualmin Control Panel.

 

3.1 Enabling CSF Firewall

The CSF firewall can be fully enabled by setting:

TESTING = 0

This can be done by via the GUI interface, or by editing the main configuration file, found at /etc/csf/csf.conf.

Please ensure that your configuration is correct. The wrong settings may lock you out of your server permanently!

 

FASTSTART

The FASTSTART option uses IPTABLES_SAVE, IPTABLES_RESTORE and IP6TABLES_SAVE, IP6TABLES_RESTORE in two ways:

  1. On a clean server reboot the entire csf iptables configuration is saved and then restored where possible to provide a near instant firewall startup.
  2. On csf restart or lfd reloading tables, CC_* as well as SPAMHAUS, DSHIELD, BOGON, TOR are loaded using this method in a fraction of the time than if this setting is disabled

This feature is not supported on all OS platforms.

 

3.2 TCP_IN and TCP_OUT / UDP_IN and UDP_OUT

Below you will find a basic explanation for the recommended opened TCP_IN ports for INCOMING connections to your DirectAdmin based web server. These ports can be opened from the GUI or the csf.conf file.

20,21
FTP access *
22
SSH Access
25, 587
SMTP for EXIM to receive e-mail
53
DNS (Named), The port for your nameservers. Both TCP and UDP ports should be opened here.
80, 443
Apache traffic, http and https
110, 993
POP e-mail access
143, 995
IMAP email access
3306
MySQL. You should not open this port if you don't want to allow remote MySQL access, as most MySQL scripts are accessed locally
2222
DirectAdmin Access
2083
cPanel Access over an encrypted SSL connection
2082
cPanel Access over an unencrypted connection
2087
cPanel WHM Access over an encrypted SSL connection
2086
cPanel WHM Access over an unencrypted connection
10000
Webmin Access

* FTP requires a random high port number if the client is in PORT mode. When using ProFTP you may need to add a port range into your /etc/proftpd.conf file to allow ftp connections, eg: PassivePorts 35000 35999 and then open that port range in your CSF firewall. Ranges can be defined in CSF by using a colon eg: 35000:35999

TCP_IN and TCP_OUT / UDP_IN and UDP_OUT is a comma separated list of:

# Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,2222,35000:35999"
 
# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,53,80,110,113,443"
 
# Allow incoming UDP ports
UDP_IN = "20,21,53"
 
# Allow outgoing UDP ports
UDP_OUT = "20,21,53,113,123"

 

3.3 ICMP_IN and ICMP_OUT

Allowing ping is usually a good option for diagnostic purposes.

Set ICMP_IN to 1 to allow incoming ping requests to your server. Set to 0 refuses such requests. If you are hosting any public services, it is recommended to allow ICMP requests, as these can be used to determine whether or not your service is available. ICMP_IN_LIMIT Sets the number of ICMP (ping) requests allowed from one IP address within a specified amount of time. There is usually no need to change the default value (1/s)

Set ICMP_OUT to 1 to allow outgoing ping from your server. Set to 0 refuses such requests. ICMP_OUT_LIMIT Sets the number of outgoing ICMP (ping) requests within a specified amount of time. There is usually no need to change the default value (0)

 

3.4 Port flood protection

This setting provides protection against port flood attacks, such as denial of service (DoS) attacks. You may specify the amount of allowed connections on each port within time period of your liking. Enabling this feature is recommended, as it may possibly prevent an attacker forcing your services down. You should pay attention to what limits you set, as too restrictive settings will drop connections from normal clients. Then again, too permissive settings may allow an attacker to succeed in a flood attack.

PORTFLOOD is a comma separated list of:

port;protocol;hit count*;interval seconds

So, a setting of PORTFLOOD = "22;tcp;5;300,80;tcp;20;5" means:

  1. 1. If more than 5 connections to tcp port 22 within 300 seconds, then block that IP address from port 22 for at least 300 seconds after the last packet is seen, i.e. there must be a "quiet" period of 300 seconds before the block is lifted
  2. 2. If more than 20 connections to tcp port 80 within 5 seconds, then block that IP address from port 80 for at least 5 seconds after the last packet is seen, i.e. there must be a "quiet" period of 5 seconds before the block is lifted

You may add more ports by separating them by commas like described as follows: port1;protocol1;connection_count1;time1,port2;protocol2;connection_count2;time2

 

3.5 Port knocking

Port knocking allows clients to establish connections a server with no ports open. The server allows clients connect to the main ports only after a successful port knock sequence. You may find this useful if you offer services which are available to only limited audience.

The feature requires that you list a random selection of unused ports (at least 3) with a timeout. The ports you choose must not be in use and not appear in TCP_IN (UDP_IN for udp packets). The port to be opened must also not appear in TCP_IN (UDP_IN for udp packets).

PORTKNOCKING is a comma separated list of:

openport;protocol;timeout;kport1;kport2;kport3[...;kportN]

So, a setting of PORTKNOCKING = "22;TCP;20;100;200;300;400" means:

Open Port 22 TCP for 20 seconds to the connecting IP address to new connections once ports 100, 200, 300 and 400 have been accessed (i.e. knocked with a SYN packet) each knock being less than 20 seconds apart.

Access to port 22 remains active after 20 seconds until the connection is dropped, however new connections will not be allowed.

 

3.6 Syslog and RESTRICT_SYSLOG

When enabled, this option logs lfd (Login Failure Daemon) messages to syslog as well as to /var/log/lfd.log.

Unfortunately, it is trivial for end-users and scripts run by end-users to spoof log lines that appear identical to any log line reported in logs maintained by syslog/rsyslog. You can identify these logs by looking in /etc/syslog.conf or etc/rsyslog.conf

This means that anyone on the server can maliciously trigger applications that monitor these logs, such as lfd does for the following options:

LF_SSHD LF_FTPD LF_IMAPD LF_POP3D LF_BIND LF_SUHOSIN LF_SSH_EMAIL_ALERT LF_SU_EMAIL_ALERT LF_CONSOLE_EMAIL_ALERT LF_DISTATTACK LF_DISTFTP LT_POP3D LT_IMAPD PS_INTERVAL UID_INTERVAL WEBMIN_LOG LF_WEBMIN_EMAIL_ALERT PORTKNOCKING_ALERT ST_ENABLE SYSLOG_CHECK LOGSCANNER CUSTOM*_LOG

A malicious user could use this issue to trigger confusing emails regarding both successful and failed login attempts, kernel log lines (including iptables log lines) etc.

 

CentOS 7

We recommend setting the option RESTRICT_SYSLOG to 3 to restrict who can access the syslog/rsyslog unix socket. The default group is mysyslog. A custom group can be defined under RESTRICT_SYSLOG_GROUP

 

CentOS6

To mitigate spoofing attempts we recommend the following, if you are willing to accept the consequences of spoofed log lines:

  1. Go through the options above ensuring that only those that you need are enabled.
  2. Ensure that DENY_IP_LIMIT and DENY_TEMP_IP_LIMIT are set reasonably low (for example, 200). This will limit attempts to block large numbers of IP addresses.
  3. Ensure that administrator/support IP addresses are listed in 
    /etc/csf/csf.allow
    and perhaps 
    /etc/csf/csf.ignore
    . This will prevent malicious blocking from denying you access to the server.
  4. To confirm successful logins to SSH, use the "last" utility from the root shell, e.g.: last -da
  5. Regularly check the server and user data for exploits, old vulnerable applications and out of date OS applications.
  6. Consider carefully any application that you use that centralises actions and syslog/rsyslog logs and the implications of spoofed log lines.
  7. Consider the implications of this overall issue on applications and scripts other than csf/lfd that use the affected log files.
  8. Ultimately, you could consider restricting access to all configured syslog/rsyslog unix sockets. This can be used via file permissions and ownership of the sockets (e.g. /dev/log) but there are several caveats: file permissions and ownership have to be reapplied whenever syslog/rsyslog is restarted; restricting logging will break/limit some applications ability to log to syslog/rsyslog, for example crond.
  9. Do not enable syslog/rsyslog reception via UDP/TCP ports.

 

3.7 Connection limit protection CONNLIMIT

This feature can be used to limit the number concurrent of active connections from an IP address to each port. When properly configured, this may prevent abuses on the server, such as DoS attacks.

CONNLIMIT is a comma separated list of:

port;limit

So, a setting of CONNLIMIT = "22;5,80;20" means:

  1. Only allow up to 5 concurrent new connections to port 22 per IP address
  2. Only allow up to 20 concurrent new connections to port 80 per IP address

 

3.8 Port/IP address redirection

CSF can be configured to redirect connections to an IP/port to another IP/port. Note: After redirection, the source address of the client will be the server's IP address.

Requirements:

nat tables
  ipt_DNAT iptables module
  ipt_SNAT iptables module
  ipt_REDIRECT iptables module

The following are the allowed redirection formats:

DNAT (redirect from one IP address to a different one):
IPx|*|IPy|*|tcp/udp          - To IPx redirects to IPy
IPx|portA|IPy|portB|tcp/udp  - To IPx to portA redirects to IPy portB

DNAT examples:
192.168.254.62|*|10.0.0.1|*|tcp
192.168.254.62|666|10.0.0.1|25|tcp

REDIRECT (redirect from port to a different one):
IPx|portA|*|portB|tcp/udp    - To IPx to portA redirects to portB
*|portA|*|portB|tcp/udp      - To portA redirects to portB

REDIRECT examples:
*|666|*|25|tcp
192.168.254.60|666|*|25|tcp
192.168.254.4|666|*|25|tcp

Where a port is specified it cannot be a range, only a single port.

All redirections to another IP address will always appear on the destination server with the source of this server, not the originating IP address.

This feature is not intended to be used for routing, NAT, VPN, etc tasks

 

3.9 SYNFLOOD, SYNFLOOD_RATE and SYNFLOOD_BURST

Offers protection against SYN flood attacks. This slows down the initialization of every connection, so you should enable this only if you know that your server is under attack.

SYNFLOOD = "0"
SYNFLOOD_RATE = "100/s"
SYNFLOOD_BURST = "150"

 

3.10 Messenger Service

Enabling this feature allows CSF to send a more informative message to the client when a block is applied. This feature has both pros and cons. On one hand, enabling it provides more information to the client, and thus may cause less frustration for instance in case of failed logins. On the other hand, this provides more information, which might make it easier for an attacker to attack your server.

 

3.11 DENY_IP_LIMIT and DENY_TEMP_IP_LIMIT

DENY_IP_LIMIT sets the number of blocked IP addresses CSF keeps track of. It is recommended to limit the number of denied IP addresses as having too many blocks may slow down the server performance.

DENY_TEMP_IP_LIMIT has the same function, but for temporary IP address blocks.

 

3.12 Advanced Allow/Deny Filters

In /etc/csf.allow and /etc/csf.deny you can add more complex port and ip filters using the following format (you must specify a port AND an IP address):

tcp/udp|in/out|s/d=port|s/d=ip|u=uid

Broken down:

tcp/udp  : EITHER tcp OR udp OR icmp protocol
in/out   : EITHER incoming OR outgoing connections
s/d=port : EITHER source OR destination port number (or ICMP type)
           (use a _ for a port range, e.g. 2000_3000)
s/d=ip   : EITHER source OR destination IP address
u/g=UID  : EITHER UID or GID of source packet, implies outgoing connections,
           s/d=IP value is ignored

Note: ICMP filtering uses the "port" for s/d=port to set the ICMP type. Whether you use s or d is not relevant as either simply uses the iptables --icmp-type option. Use "iptables -p icmp -h" for a list of valid ICMP types. Only one type per filter is supported.

Examples:

# TCP connections inbound to port 3306 from IP 11.22.33.44
tcp|in|d=3306|s=11.22.33.44

# TCP connections outbound to port 22 on IP 11.22.33.44
tcp|out|d=22|d=11.22.33.44

Note| If omitted, the default protocol is set to "tcp", the default connection
direction is set to "in", so|

# TCP connections inbound to port 22 from IP 44.33.22.11
d=22|s=44.33.22.11

# TCP connections outbound to port 80 from UID 99
tcp|out|d=80||u=99

# ICMP connections inbound for type ping from 44.33.22.11
icmp|in|d=ping|s=44.33.22.11

# TCP connections inbound to port 22 from Dynamic DNS address
# www.configserver.com (for use in csf.dyndns only)
tcp|in|d=22|s=www.configserver.com

 

3.13 Port Scan Tracking

A port scan is a method for determining which ports on a network are open. Although Port Scanning isn’t inherently hostile, it is often the first step taken by hackers when trying to infiltrate a network.

CSF has the ability to block IP Addresses engaged in port scanning by using the Port Scan Tracking feature. This feature works by scanning the IPtables blocks in syslog. If an IP address generates a port block that is logged more than PS_LIMIT within PS_INTERVAL seconds, the IP address will be blocked.

Example: When PS_INTERVAL is set at the default value of 300 and PS_LIMIT is set at 10, any IP address that is logged more than 10 times over a period of 300 seconds will be blocked.

 

Number of Ports qualifying as a port scan

The PS_DIVERSITY setting specifies how many different ports qualify as a Port Scan. The default value is 1. Increasing this value will run the risk that persistent attempts to attack a specific closed port will not be detected and blocked.

 

Define ports to track

The PS_PORTS directive defines the ports that should be tracked for port scanning. In case of servers handling multiple users and domains or servers with heavy FTP usage we recommend disabling port scan tracking for FTP. FTP generates a lot of connections and may be the cause of false IP blocks as a result.

We recommend the following if you do wish to enable Port Scan Tracking while facilitating multiple FTP users:

PS_PORTS = 0:19,22:988,991:65535,ICMP

The excluded ports here are

  • Port 20 = FTP Data
  • Port 21 = FTP Control
  • Port 989 = FTP Data (SSL)
  • Port 990 = FTP Control (SSL)

In other cases the default setting should work without problems.

 

Duration of IP block

The PS_PERMANENT switch determines whether a block will be temporary or permanent. In case the IP block is temporary, the duration of the IP block can be defined under PS_BLOCK_TIME.

 

Enable Port Scan E-mail alerts

Enabling the directive PS_EMAIL_ALERT enables e-mail alerts to be sent out when an IP address is blocked for Port Scanning. The E-mail address can be defined under LF_ALERT_TO

 

 

4. Login Failure Daemon (LFD)

To complement the ConfigServer Firewall, a daemon process that runs all the time and periodically (every X seconds) scans the latest log file entries for login attempts against your server that continually fail within a short period of time. Such attempts are often called "Brute-force attacks" and the daemon process responds very quickly to such patterns and blocks offending IP's quickly.

There are an array of extensive checks that lfd can perform to help alert the server administrator of changes to the server, potential problems and possible compromises.

lfd has the ability to monitor the most commonly abused protocols:

  • SSHD
  • POP3
  • SMTP
  • EXIM
  • IMAP
  • FTP
  • HTTP password protection
  • ModSecurity
  • DirectAdmin
  • Webmin
  • BIND

Unlike other applications, lfd is a daemon process that monitors logs continuously and so can react within seconds of detecting such attempts. It also monitors across protocols, so if attempts are made on different protocols in a short space of time, all those attempts will be counted against the threshold.

 

4.1 Triggering an IP block

If you set LF_TRIGGER to "0" the value of each trigger is the number of failures against that application that will trigger lfd to block the IP address (see below: Application Triggers).

If you set LF_TRIGGER to a value greater than "0" then the following application triggers are simply on or off ("0" or "1") and the value of LF_TRIGGER is the total cumulative number of failures that will trigger lfd to block the IP address.

Example: when setting LF_TRIGGER to "20", an offending IP address will be blocked when any of the enabled application triggers reach "20" failed logins.

Setting any of the application triggers to "0" disables it (see below: application triggers).

If LF_TRIGGER is greater than "0" then LF_TRIGGER_PERM can be set to "1" to permanently block the IP address, or LF_TRIGGER_PERM can be set to a value greater than "1" and the IP address will be blocked temporarily for that value in seconds.

Example: when setting LF_TRIGGER_PERM = "1" => the IP is blocked permanently
When setting LF_TRIGGER_PERM = "3600" => the IP is blocked temporarily for 3600 seconds (1 hour)

If LF_TRIGGER is "0", then the application LF_[application]_PERM value works in the same way as above and LF_TRIGGER_PERM serves no function.

To only block access to the failed application instead of a complete block for an ip address, you can set the following to "1", but LF_TRIGGER must be set to "0" with specific application[*] trigger levels also set appropriately.

 

Application Triggers
LF_SSHD = Default: 5 [0-100]
LF_SSHD_PERM = 1

LF_SSHD = The number of logins before an IP block occurs.

LF_SSHD_PERM = The block duration. A value of "1" means a permanent block, a higher value represents a temporary IP block defined in seconds.

For SMTP, FTP and login Password tracking, etc. the same principles apply.

 

4.2 E-Mail Alerts

 

You can specify an email address to report errors from the Login Failure Daemon.

 

LF_ALERT_TO = ""
LF_ALERT_FROM = ""
LF_ALERT_SMTP = ""

 

4.3 Login Tracking

 

Login tracking is an extension of lfd, it keeps track of POP3 and IMAP logins and limits them to X connections per hour per account per IP address. It uses iptables to block offenders to the appropriate protocol port only and flushes them every hour and starts counting logins afresh. All of these blocks are temporary and can be cleared manually by restarting csf.

 

There are two settings, one of POP3 and one for IMAP logins. It's generally not a good idea to track IMAP logins as many clients login each time to perform a protocol transaction (there's no need for them to repeatedly login, but you can't avoid bad client programming!). So, if you do have a need to have some limit to IMAP logins, it is probably best to set the login limit quite high.

 

4.4 Process Tracking

 

This option enables tracking of user and nobody processes and examines them for suspicious executables or open network ports. Its purpose is to identify potential exploit processes that are running on the server, even if they are obfuscated to appear as system services. If a suspicious process is found an alert email is sent with relevant information. Processes may be excluded from process tracking by editing the csf.pignore file.

For example, to disable Process tracking for Spamassassin and ClamAV enter the following in the csf.pignore file. This file can also be edited from the CSF gui:

 

exe:/usr/bin/freshclam
exe:/usr/bin/spamc
exe:/usr/bin/spamd
cmd:spamd child

 

4.5 Directory Watching

 

Directory Watching enables lfd to check /tmp and /dev/shm and other pertinent directories for suspicious files, i.e. script exploits.

 

 

 

5. IP Block Lists

 

This feature allows csf/lfd to periodically download lists of IP addresses and CIDRs from pubished block or black lists. Blocklists are controlled by the file: /etc/csf/csf.blocklists

 

IP Block lists can also be configured by going to the lfd blocklists button, which can be found near the bottom of the included GUI.

 

Enable a blocklist by uncommenting the line starting with the rule name to use it, then restart csf and then lfd.

 

Each block list must be listed per line as: NAME|INTERVAL|MAX|URL

 

NAME
List name with all uppercase alphabetic characters with no spaces and a maximum of 9 characters - this will be used as the iptables chain name
INTERVAL
Refresh interval to download the list, must be a minimum of 3600 seconds (an hour), but 86400 (a day) should be more than enough
MAX
This is the maximum number of IP addresses to use from the list a value of 0 means all IPs are used
URL
The URL to download the list from

 

Pre-configured blocklists, which can be enabled simply by uncommenting them, include:

 

  • Spamhaus
  • DShield
  • TOR
  • BOGON - Blocking bogon addresses (addresses that should not be possible) is usually a good decision. To enable, set the number of seconds between refreshes. I recommend enabling this option and setting the refresh at 86400 (1 day). If you do so, be sure to add your private network adapters to the skip list.
  • Project Honeypot
  • BruteForceBlocker
  • Emerging Threats - Russian Business Networks List
  • OpenBL.org 30 day List
  • Autoshun Shun List
  • MaxMind GeoIP Anonymous Proxies

 

Some of these lists are very long (thousands of IP addresses) and could cause serious network and/or performance issues, so setting a value for the MAX field should be considered.

 

Each URL is scanned for an IPv4/CIDR address per line and if found is blocked.

 

 

 

6. Country Code Lists and Settings

 

With the options displayed below, you can block or allow entire countries from accessing your server. To do so, enter the country codes in a comma separated list. Even though this generates a lot of additional rules, it's valuable to some sysadmins.

 

These lists are never 100% accurate and some ISP's (e.g. AOL) use non-geographic IP address designations for their clients. Some of the CIDR lists are huge and each one requires a rule within the incoming iptables chain. This can result in significant performance overheads and could render the server inaccessible in some circumstances. Due to the resource constraints on VPS servers this feature should not be used on such systems unless you choose very small CC zones

 

cc_allow and cc_deny are comma separated lists of CC's, e.g. "US,GB,DE":

 

CC_DENY = ""
CC_ALLOW = ""

 

An alternative to CC_ALLOW is to only allow access from the following countries but still filter based on the port and packets rules. All other connections are dropped:

 

CC_ALLOW_PORTS =

 

The option below allows access from the following countries to specific ports listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP

 

Note: The rules for this feature are inserted after the allow and deny rules to still allow blocking of IP addresses. All listed ports should be removed from TCP_IN/UDP_IN to block access from elsewhere. This option uses the same format as TCP_IN/UDP_IN

 

CC_ALLOW_PORTS = 
CC_ALLOW_PORTS_TCP =
CC_ALLOW_PORTS_UDP =

 

This Country Code list will prevent lfd from blocking IP address hits for the listed CC's

 

CC_IGNORE =

 

CC_DENY_PORTS =

 

This option denies access from the following countries to specific ports listed in CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP

 

Note: The rules for this feature are inserted after the allow and deny rules to still allow blocking of IP addresses. All listed ports should be removed from TCP_IN/UDP_IN to block access from elsewhere. This option uses the same format as TCP_IN/UDP_IN

 

CC_DENY_PORTS = 
CC_DENY_PORTS_TCP =
CC_DENY_PORTS_UDP =

 

 

 

7. Using the Command Line

 

Here are the some of the most common commands you will be using:

 

Manually Deny an IP address:

csf -d IPADDRESS

 

Manually Allow an IP address:

csf -a IPADDRESS

 

Reload all firewall rules:

csf -r

 

Update CSF:

csf -u

 

Start the CSF service:

csf -e

 

Restart the CSF service:

# CentOS 5 and 6
service csf restart

# CentOS 7
systemctl restart csf.service

 

For a complete overview of all command line options enter csf or csf -h on the command line and you will receive a list with all available options:

 

$ csf --help
csf: v5.17 (DirectAdmin)
 
ConfigServer Security & Firewall
(c)2006-2013, Way to the Web Limited (http://www.configserver.com)
 
Usage: /usr/sbin/csf [option] [value]
 
Option              Meaning
-h, --help          Show this message
-l, --status        List/Show iptables configuration
-l6, --status6      List/Show ip6tables configuration
-s, --start         Start firewall rules
-f, --stop          Flush/Stop firewall rules (Note: lfd may restart csf)
-r, --restart       Restart firewall rules
-q, --startq        Quick restart (csf restarted by lfd)
-sf, --startf       Force CLI restart regardless of LF_QUICKSTART setting
-a, --add ip        Allow an IP and add to /etc/csf.allow
-ar, --addrm ip     Remove an IP from /etc/csf.allow and delete rule
-d, --deny ip       Deny an IP and add to /etc/csf.deny
-dr, --denyrm ip    Unblock an IP and remove from /etc/csf.deny
-df, --denyf        Remove and unblock all entries in /etc/csf.deny
-g, --grep ip       Search the iptables rules for an IP match (incl. CIDR)
-t, --temp          Displays the current list of temp IP entries and their TTL
-tr, --temprm ip    Remove an IPs from the temp IP ban and allow list
-td, --tempdeny ip ttl [-p port] [-d direction]
                    Add an IP to the temp IP ban list. ttl is how long to
                    blocks for (default:seconds, can use one suffix of h/m/d).
                    Optional port. Optional direction of block can be one of:
                    in, out or inout (default:in)
-ta, --tempallow ip ttl [-p port] [-d direction]
                    Add an IP to the temp IP allow list (default:inout)
-tf, --tempf        Flush all IPs from the temp IP entries
-cp, --cping        PING all members in an lfd Cluster
-cd, --cdeny ip     Deny an IP in a Cluster and add to /etc/csf.deny
-ca, --callow ip    Allow an IP in a Cluster and add to /etc/csf.allow
-cr, --crm ip       Unblock an IP in a Cluster and remove from /etc/csf.deny
-cc, --cconfig [name] [value]
                    Change configuration option [name] to [value] in a Cluster
-cf, --cfile [file] Send [file] in a Cluster to /etc/csf/
-crs, --crestart    Cluster restart csf and lfd
-w, --watch ip      Log SYN packets for an IP across iptables chains
-m, --mail [addr]   Display Server Check in HTML or email to [addr] if present
-lr, --logrun       Initiate Log Scanner report via lfd
-c, --check         Check for updates to csf but do not upgrade
-u, --update        Check for updates to csf and upgrade if available
-uf                 Force an update of csf
-x, --disable       Disable csf and lfd
-e, --enable        Enable csf and lfd if previously disabled
-v, --version       Show csf version

 

 

8. File Locations

8.1 Directory structure

File Description
/etc/csf/ configuration files
/var/lib/csf/ temporary data files
/usr/local/csf/bin/ scripts
/usr/local/csf/lib/ perl modules and static data
/usr/local/csf/tpl/ email alert templates

 

8.2 Configuration Files

File Description
/etc/csf/csf.conf The main configuration file.
/etc/csf/csf.allow A list of IP's and CIDR addresses that should always be allowed through the firewall.
/etc/csf/csf.deny A list of IP's and CIDR addresses that should never be allowed through the firewall.
/etc/csf/csf.ignore A list of IP's and CIDR addresses that the login failure daemon should ignore and not not block if detected.
/etc/csf/csf.*ignore Various ignore files that list files, users, IP's that the login failure daemon should ignore.

 

 

9. Further Considerations

Please ensure to follow the recommendations outlined on the "Check Server Security" page from within the CSF GUI. It is also wise to double check that all required IPtables modules are properly loaded by heading to the "Test Iptables" page at the bottom of the CSF GUI. If they are not properly loaded, and you are on a Virtual Private Server (VPS), contact your host to fix this.

CSF assumes your php.ini file is located in /usr/local/lib/php.ini

If your php.ini file was installed in a different location, you can create a symlink to the correct location. This may be helpful if you want to make use of CSFs security suggestions on the "Check Server Security" page.

To create the symlink enter the following:
ln -s /path/to/your/actual/php.ini /usr/local/lib/php.ini

Don't ever run iptables -F while using CSF, unless you want to lock yourself out.

 

 

10. Uninstallation

On cPanel servers:

cd /etc/csf sh uninstall.sh

On DirectAdmin servers:

cd /etc/csf sh uninstall.directadmin.sh

On generic linux servers:

cd /etc/csf sh uninstall.generic.sh

 

 

Need Help?
Should you require any further assistance or in case you have any questions about CSF, please open a ticket with our support team by logging in to your account, or you can also visit the CSF home page where you can find further documentation and FAQs.

  • installation, csf firewall, security, centos
  • 44 Users Found This Useful
Was this answer helpful?

Related Articles

Installation of SpamAssassin on DirectAdmin

In this guide I will be explaining how to install and configure SpamAssasin on a Direct Admin...

Installation Clam Anti Virus (ClamAV) on DirectAdmin / CentOS

Clam AntiVirus is a popular open source (GPL) anti-virus toolkit for UNIX, designed for e-mail...

Installation of SpamAssassin on DirectAdmin

In this guide I will be explaining how to install and configure SpamAssasin on a Direct Admin...

Installation of SpamAssassin on DirectAdmin

In this guide I will be explaining how to install and configure SpamAssasin on a Direct Admin...

Installation Rootkit Hunter (rkhunter) on CentOS

  Rootkit Hunter (rkhunter) is a Unix-based tool that scans for rootkits, backdoors and possible...