Installation Of ConfigServer (CSF) Security & Firewall

[Chris Luke]

ConfigServer Security & Firewall is a popular Linux firewall security suite. It is easy to install, flexible to configure and secure with extra checks. CSF helps to control exactly what traffic is allowed in and out of the server and to protect the server from malicious attacks.

Preliminary Requirements:

• CentOS 7, Fedora 23, Ubuntu 16.04 or Debian 8 OS installed.

Installation Of ConfigServer Security & Firewall

For CentOS / Fedora firstly you need to install required for CSF Perl packages:

yum install perl-libwww-perl.noarch perl-Time-HiRes perl-core zip unzip bind-utils -y

For Ubuntu and Debian install the following packages:

apt-get install e2fsprogs dnsutils libwww-perl -y

Then, download a CSF source archive:

wget http://download.configserver.com/csf.tgz

tar xzf csf.tgz

Then we need to run CSF installation script:

cd csf

sh install.sh

After installation run the test in order to make sure that all required iptables modules are installed on your VPS:

perl /usr/local/csf/bin/csftest.pl

If all required iptables modules are installed you will receive such result:

Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

RESULT: csf should function on this server 

After checking iptables modules we need to enable CSF. For this reason, you may open and edit configuration file:

vi /etc/csf/csf.conf

You need to change "TESTING" value to the zero:

TESTING = "0"

Also, change the "RESTRICT_SYSLOG" value to 3:

RESTRICT_SYSLOG = "3"

Save the configuration file and execute the following command to restart CSF and reload new changes:

csf -r

If after the restart, you would receive a warning that starts with "*WARNING* Binary location for [SENDMAIL]", run the following commands:

echo '#!/bin/sh' > /usr/sbin/sendmail
chmod +x /usr/sbin/sendmail

Then, to check if everything is fine, run the restart again:

csf -r

This is it, now ConfigServer Security & Firewall is successfully installed to your server.

Enable ConfigServer Security & Firewall Web UI

ConfigServer Security & Firewall provides in-built Web UI for the managing firewall via a browser. After enabling Web UI you will be able to access the firewall via a specified port and manage it at the graphical interface. Firstly install Perl modules, required for Web UI:

For CentOS / Fedora execute:

yum install perl-IO-Socket-INET6 perl-Socket6 -y

For Debian / Ubuntu execute:

apt-get install libio-socket-ssl-perl libcrypt-ssleay-perl libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl libwww-perl -y

In order to enable Web UI you need to edit the configuration file:

vi /etc/csf/csf.conf

You need to modify following values:

# 1 to enable, 0 to disable
UI = "1"

# Set this to the port that want to bind this service to. You should configure
# this port to be >1023 and different from any other port already being used
#
# Do NOT enable access to this port in TCP_IN, instead only allow trusted IP's
# to the port using Advanced Allow Filters (see readme.txt)
UI_PORT = "7777"

# Optionally set the IP address to bind to. Normally this should be left blank
# to bind to all IP addresses on the server.
#
# If the server is configured for IPv6 but the IP to bind to is IPv4, then the
# IP address MUST use the IPv6 representation. For example 1.2.3.4 must use
# ::ffff:1.2.3.4
#
# Leave blank to bind to all IP addresses on the server
UI_IP = "111.111.111.111"

# This should be a secure, hard to guess username
# 
# This must be changed from the default
UI_USER = "username"

# This should be a secure, hard to guess password. That is, at least 8
# characters long with a mixture of upper and lowercase characters plus 
# numbers and non-alphanumeric characters
#
# This must be changed from the default
UI_PASS = "password"

, where:

• UI - should be "1" for enabled Web UI;
• UI_PORT - port for accessing CSF firewall via the browser;
• UI_IP - your server's IP address. Leave it blank to bind to all IP addresses on the server (e.g. if you have additional IPs);
• UI_USER - username for accessing CSF firewall via the browser;
• UI_PASS - password for accessing CSF firewall via the browser.

 

After it  add your public IP to the /etc/csf/ui/ui.allow file in order to allow access to CSF Web UI:

echo "your_public_ip_address" >>  /etc/csf/ui/ui.allow

Finally restart lfd (Login Failure Daemon) daemon, which uses CSF Web UI:

service lfd restart

Now you could access ConfigServer Security & Firewall Web UI via your server's IP address and specified earlier port: https://server_ip_address:port

Note: use HTTPS to access Web UI.

DoS / DDoS Attacks Prevention With ConfigServer Security & Firewall

It is possible to configure ConfigServer Security & Firewall to prevent VPS from small and limited DDoS attacks. In order to enable it, you need to edit /etc/csf/csf.conf file. If you have enabled Web UI, you could edit configuration file via it - just go to the "ConfigServer Firewall" and select "Firewall Configuration". In another case you need to edit /etc/csf/csf.conf via SSH:

vi /etc/csf/csf.conf

First of all you need to set up total number of connections allowed from single host:

CT_LIMIT = "20"

Set connection tracking interval (in seconds):

CT_INTERVAL = "30"

Enable email alerts sending for each blocked IP address:

CT_EMAIL_ALERT =1

Enable permanent IP addresses blocking ("1" to enabled, "0" for disabled):

CT_PERMANENT = 1

If you did not enable permanent IP addresses blocking, you could set interval (in seconds) within which IP will remained blocked:

CT_BLOCK_TIME = 1800

If you would like to enable it only for specific ports, you need to provide it in CT_PORTS. If you keep it empty, all ports would be checking:

CT_PORTS = "22,23,80,443"

After it, you need to restart CSF service and lfd daemon. If you have performed changes via Web UI, just press the button "Restart csf+lfd'. Else execute the following command via SSH:

csf -r && service lfd restart

More information about ConfigServer Security & Firewall could be found here:

https://www.configserver.com/cp/csf.html