Config Server Firewall (or CSF) is a free and advanced firewall for most Linux distributions and Linux based VPS. In addition to the basic functionality of a firewall – filtering packets – CSF includes other security features, such as login/intrusion/flood detections. CSF includes UI integration for cPanel, DirectAdmin and Webmin, but this tutorial only covers the command line usage. CSF is able to recognize many attacks, such as port scans, SYN floods, and login brute force attacks on many services. It is configured to temporarily block clients who are detected to be attacking the cloud server.

The full list of supported operating systems and features can be found on ConfigServer's website.

Requirements

  • A single instance of VPS with the Centos 7 template (1 GB of RAM will work fine)

Features

Config Server Firewall offers a wide range of protections for your VPS.

Login authentication failure daemon:

CSF checks the logs for failed login attempts at regular time interval, and is able to recognize most unauthorized attempts to gain access to your cloud server. You can define the desired action CSF takes and after how many attempts in the configuration file.

The following applications are supported by this feature:

  • Courier imap, Dovecot, uw-imap, Kerio
  • openSSH
  • cPanel, WHM, Webmail (cPanel servers only)
  • Pure-ftpd, vsftpd, Proftpd
  • Password protected web pages (htpasswd)
  • Mod_security failures (v1 and v2)
  • Suhosin failures
  • Exim SMTP AUTH

In addition to these, you are able define your own login files with regular expression matching. This can be helpful if you have an application which logs failed logins, but does block the user after specific number of attempts.

Process tracking

CSF can be configured to track processes in order to detect suspicious processes or open network ports, and send an email to the system administrator if any is detected. This may help you to identify and stop a possible exploit on your VPS.

Directory watching

Directory watching monitors the /temp and other relevant folders for malicious scripts, and sends an email to the system administrator when one is detected.

Messenger service

Enabling this feature allows CSF to send a more informative message to the client when a block is applied. This feature has both pros and cons. On one hand, enabling it provides more information to the client, and thus may cause less frustration for instance in case of failed logins. On the other hand, this provides more information, which might make it easier for an attacker to attack your VPS.

Port flood protection

This setting provides protection against port flood attacks, such as denial of service (DoS) attacks. You may specify the amount of allowed connections on each port within time period of your liking. Enabling this feature is recommended, as it may possibly prevent an attacker forcing your services down. You should pay attention to what limits you set, as too restrictive settings will drop connections from normal clients. Then again, too permissive settings may allow an attacker to succeed in a flood attack.

Port knocking

Port knocking allows clients to establish connections a server with no ports open. The server allows clients connect to the main ports only after a successful port knock sequence. You may find this useful if you offer services which are available to only limited audience.

Read more about port knocking

Connection limit protection

This feature can be used to limit the number concurrent of active connections from an IP address to each port. When properly configured, this may prevent abuses on the server, such as DoS attacks.

Port/IP address redirection

CSF can be configured to redirect connections to an IP/port to another IP/port. Note: After redirection, the source address of the client will be the server's IP address. This is not an equivalent to network address translation (NAT).

UI integration

In addition to command line interface, CSF also offers UI integration for cPanel and Webmin. If you are not familiar with Linux command line, you might find this feature helpful.

IP block lists

This feature allows CSF to download lists of blocked IP addresses automatically from sources defined by you.

Installing ConfigServer Firewall

Step 1 - Downloading

$

wget http://download.configserver.com/csf.tgz

This will download CSF to your current working directory.

Step 2 - Uncompressing

The downloaded file is a compressed from of tar package, and has to be uncompressed and extracted before it can be used.

$

tar -xzf csf.tgz

Step 3 - Installing

Disable/Remove firewalld from the startup:

$$

systemctl disable firewalld systemctl stop firewalld

Install and create folder iptables

$$$

yum -y install iptables-services touch /etc/sysconfig/iptables touch /etc/sysconfig/iptables6

Start Iptables

$$$$

systemctl start iptables systemctl start ip6tables systemctl enable iptables systemctl enable ip6tables

$$

cd csf sh install.sh

The firewall is now installed, but you should check if the required iptables modules are available.

$

perl /usr/local/csf/bin/csftest.pl

The firewall will work if no fatal errors are reported.

Note: Your IP address was added to the whitelist if possible. In addition, the SSH port has been opened automatically, even if it uses custom port. The firewall was also configured to have testing mode enabled, which means that the iptables rules will be automatically removed five minutes after starting CSF. This should be disabled once you know that your configuration works, and you will not be locked out.

Configuration

CSF can be configured by editing its configuration file csf.conf in /etc/csf:

$

vim /etc/csf/csf.conf

Change TESTING = "1" to TESTING = "0" (otherwise, the lfd daemon will fail to start) and list allowed incoming and outgoing ports as a comma-separated list (TCP_IN and TCP_OUT, respectively) in /etc/csf/csf.conf as shown in the below output:

/etc/csf/csf.conf

... # lfd will not start while this is enabled TESTING = "0" # Allow incoming TCP ports TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995" # Allow outgoing TCP ports TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995" ...

Once you are happy with the configuration, save the changes and return to the command line.

The changes can be applied with command:

$

csf -r

CSF Configuration Options and Usage

  • csf.conf : The main configuration file for controlling CSF.
  • csf.allow : The list of allowed IP’s and CIDR addresses on the firewall.
  • csf.deny : The list of denied IP’s and CIDR addresses on the firewall.
  • csf.ignore : The list of ignored IP’s and CIDR addresses on the firewall.
  • csf.*ignore : The list of various ignore files of users, IP’s.

Conclusion

In this article we have explained how to install, configure, and use CSF as a firewall and intrusion detection system. Please note that more features are outlined in csf.conf.