How to Install the CSF Firewall on CentOS 7

 In Dedicated, Security, VPS

One of the first things you should do after installing CentOS 7 is to configure a decent firewall. The normal firewall that comes preinstalled on CentOS is called iptables – and even though that is a very thorough solution, it’s usually targeted towards more experienced users, and because of its steeper learning curve, it can feel unintuitive to get started with. This is why we recommend a 3rd party solution called ConfigServer Security & Firewall (CSF). It’s free, open-source, and is one of the best ways to manage your firewall needs on CentOS.

In this tutorial, we will go in-depth on how to install, configure, and block ports using CSF. This tutorial focuses on installing CSF on a CentOS 7.

Step 1: Checking for Pre-Requisites

The CSF package relies on Perl for some of its functionality. So first we need to make sure that Perl is installed by running the following command:

yum list installed perl

You should see something like this if Perl is installed:

Perl is Installed

If it’s not installed, then you can install it by typing:

sudo yum install perl

And you’re done. Now we can proceed with the CSF installation.

Step 2: Downloading, Extracting and Installing CSF

You can use our command below to directly download and extract the latest version of CFS using their current direct download link. If the link changes, visit CFS’ webpage for the latest download link for CSF. You should find it here, like this:

Webpage for Download Link

Copy the link. Now, we can download and extract it all at the same time, like this:

wget -qO- https://download.configserver.com/csf.tgz | tar xvz

This creates a new folder called “csf”. Navigate into it:

cd csf

And install the package:

sudo sh install.sh

The installation should complete quickly. Now we can activate the script which tells us that CSF is ready to install. It’ll check our system setup and tell us if everything is in order:

perl /usr/local/csf/bin/csftest.pl

If all goes well, you should get an output like this:

CSF Can be Installed

This means that CSF is ready to run on your system.

Step 3: Ensuring that you Don’t Lock Yourself Out

First things first – before activating any firewall solution, you need to make sure of two things:

  1. Your SSH port is open
  2. Your IP address is whitelisted

Note: Without these two key factors, you risk getting locked out of your own server! CSF is smart enough to auto-whitelist both. Even if you use a custom SSH port, CSF will add it to its list of whitelisted ports. However, even with this additional protection, it’s always a good idea to verify this.

To do this, open the CSF configuration file /etc/csf/csf.conf in your preferred text editor. For example:

nano /etc/csf/csf.conf

Now scroll down to the line called “TCP_IN”. This is a comma-separated list of ports to which access is allowed. Most of the common ones are already whitelisted such as those for HTTP and HTTPS. However, note that the last port is “7022”:

Port Successfully Added Automatically

“7022” is the custom SSH port set up on this server. So, CSF has done its job and automatically added it to the list of allowed ports.

CSF also includes a login daemon that watches out for repeated attempts to infiltrate your server. The service is called lfd, and we should enable it by setting the “TESTING” variable to “0” in the CSF config file, like this:

Disable “TESTING”

Save your changes, and CSF is now configured and ready to run.

Step 4: Enabling CSF

To start CSF and allow it to work its magic, we need to use the following command:

systemctl start csf

And we can test the status like this:

systemctl status csf

Which gives us the following output:

CSF is Active

Now, let’s verify it.

Step 5: Verifying That the Port is Open/Closed

The latest version of Windows comes with PowerShell. You can use it to test whether a port is open on a remote host. So let’s say we want to verify port number 7022 (SSH on this server), we can do so like this:

Test-NetConnection -ComputerName 206.196.115.159 -Port 7022

(Remember to replace the IP address with the one that your server is assigned with)

This command should end with a “success” or a “failure” message like this:

Port Open Test After CSF is Set Up

 

You can use this to verify whether CSF is working as it should. Check a few of the ports, and add some new ones to the “TCP_IN” variable in the CSF config file to see if everything is functioning as it should.

If it is, then congratulations! You have successfully set up CSF on your CentOS.

Recommended Posts

Start typing and press Enter to search