How to Install the CSF Firewall on CentOS 7
One of the first things you should do after installing CentOS 7 is to configure a decent firewall. The normal firewall that comes preinstalled on CentOS is called iptables – and even though that is a very thorough solution, it’s usually targeted towards more experienced users, and because of its steeper learning curve, it can feel unintuitive to get started with. This is why we recommend a 3rd party solution called ConfigServer Security & Firewall (CSF). It’s free, open-source, and is one of the best ways to manage your firewall needs on CentOS.
In this tutorial, we will go in-depth on how to install, configure, and block ports using CSF. This tutorial focuses on installing CSF on a CentOS 7.
Step 1: Checking for Pre-Requisites
The CSF package relies on Perl for some of its functionality. So first we need to make sure that Perl is installed by running the following command:
yum list installed perl
You should see something like this if Perl is installed:
If it’s not installed, then you can install it by typing:
sudo yum install perl
And you’re done. Now we can proceed with the CSF installation.
Step 2: Downloading, Extracting and Installing CSF
You can use our command below to directly download and extract the latest version of CFS using their current direct download link. If the link changes, visit CFS’ webpage for the latest download link for CSF. You should find it here, like this:
Copy the link. Now, we can download and extract it all at the same time, like this:
wget -qO- https://download.configserver.com/csf.tgz | tar xvz
This creates a new folder called “csf”. Navigate into it:
And install the package:
sudo sh install.sh
The installation should complete quickly. Now we can activate the script which tells us that CSF is ready to install. It’ll check our system setup and tell us if everything is in order:
If all goes well, you should get an output like this:
This means that CSF is ready to run on your system.
Step 3: Ensuring that you Don’t Lock Yourself Out
First things first – before activating any firewall solution, you need to make sure of two things:
- Your SSH port is open
- Your IP address is whitelisted
Note: Without these two key factors, you risk getting locked out of your own server! CSF is smart enough to auto-whitelist both. Even if you use a custom SSH port, CSF will add it to its list of whitelisted ports. However, even with this additional protection, it’s always a good idea to verify this.
To do this, open the CSF configuration file /etc/csf/csf.conf in your preferred text editor. For example:
Now scroll down to the line called “TCP_IN”. This is a comma-separated list of ports to which access is allowed. Most of the common ones are already whitelisted such as those for HTTP and HTTPS. However, note that the last port is “7022”:
“7022” is the custom SSH port set up on this server. So, CSF has done its job and automatically added it to the list of allowed ports.
CSF also includes a login daemon that watches out for repeated attempts to infiltrate your server. The service is called
lfd, and we should enable it by setting the “TESTING” variable to “0” in the CSF config file, like this:
Save your changes, and CSF is now configured and ready to run.
Step 4: Enabling CSF
To start CSF and allow it to work its magic, we need to use the following command:
systemctl start csf
And we can test the status like this:
systemctl status csf
Which gives us the following output:
Now, let’s verify it.
Step 5: Verifying That the Port is Open/Closed
The latest version of Windows comes with PowerShell. You can use it to test whether a port is open on a remote host. So let’s say we want to verify port number 7022 (SSH on this server), we can do so like this:
Test-NetConnection -ComputerName 220.127.116.11 -Port 7022
(Remember to replace the IP address with the one that your server is assigned with)
This command should end with a “success” or a “failure” message like this:
You can use this to verify whether CSF is working as it should. Check a few of the ports, and add some new ones to the “TCP_IN” variable in the CSF config file to see if everything is functioning as it should.
If it is, then congratulations! You have successfully set up CSF on your CentOS.