How to install CSF firewall on Centos 7

This document describes how to install CSF on centos 7.

Step 1: Disable firewalld

# systemctl stop firewalld
# systemctl disable firewalld
# systemctl mask firewalld

Step 2: Install iptables

# yum -y install iptables-services

Add the required touch files for Iptables to function:

# touch /etc/sysconfig/iptables
# touch /etc/sysconfig/ip6tables

Step 3: Start and enable the iptables service

Start the Iptables Service:

# systemctl start iptables
# systemctl start ip6tables
# systemctl enable iptables
# systemctl enable ip6tables

Step 4: Install CSF and its dependencies

# yum -y install perl perl-libwww-perl net-tools wget perl-GDGraph perl-LWP-Protocol-https
# cd /opt
# wget https://download.configserver.com/csf.tgz
# tar xzf csf.tgz
# cd /opt/csf
# sh install.sh

Step 6: Run a PERL check to see if CSF will function properly on the server:

# perl /usr/local/csf/bin/csftest.pl

Step 7: Configuring the CSF Firewall

The CSF Configuration file is located at /etc/csf/csf.conf.

Follow the documentation within the config file to configure the firewall. We use “nano or vi” to edit the configuration file.

To edit the config, run:

# vi /etc/csf/csf.conf

Now CSF is installed but by default CSF is installed in ‘Testing’ mode, to change this you need to make the following change in the CSF configuration file.

Ex: TESTING = “0”

Step 7: After making your required changes, save your configuration file, and restart the firewall:

# csf -r

Basic CSF Commands:
*******************

If you forget the command you are looking for just type ‘csf‘ on the command line and you will receive an list of all of your options.

1. Start the firewall (enable the firewall rules):

# csf -s

2. Flush/Stop the firewall rules.

# csf -f

3. Reload the firewall rules.

# csf -r

4. Allow an IP and add it to csf.allow.

# csf -a 192.168.1.109

Results:
Adding 192.168.1.109 to csf.allow and iptables ACCEPT…
ACCEPT all opt — in !lo out * 192.168.1.109 -> 0.0.0.0/0
ACCEPT all opt — in * out !lo 0.0.0.0/0 -> 192.168.1.109

5. Remove and delete an IP from csf.allow.

# csf -ar 192.168.1.109

Results:
Removing rule…
ACCEPT all opt — in !lo out * 192.168.1.109 -> 0.0.0.0/0
ACCEPT all opt — in * out !lo 0.0.0.0/0 -> 192.168.1.109

6. Deny an IP and add to csf.deny:

# csf -d 192.168.1.109

Results:
Adding 192.168.1.109 to csf.deny and iptables DROP…
DROP all opt — in !lo out * 192.168.1.109 -> 0.0.0.0/0
LOGDROPOUT all opt — in * out !lo 0.0.0.0/0 -> 192.168.1.109

7. Remove and delete an IP from csf.deny.

# csf -dr 192.168.1.109

Results:
Removing rule…
DROP all opt — in !lo out * 192.168.1.109 -> 0.0.0.0/0
LOGDROPOUT all opt — in * out !lo 0.0.0.0/0 -> 192.168.1.109

8. Remove and Unblock all entries from csf.deny.

# csf -df

Results:
DROP all opt — in !lo out * 192.168.1.110 -> 0.0.0.0/0
LOGDROPOUT all opt — in * out !lo 0.0.0.0/0 -> 192.168.1.110
DROP all opt — in !lo out * 192.168.1.111 -> 0.0.0.0/0
LOGDROPOUT all opt — in * out !lo 0.0.0.0/0 -> 192.168.1.111
csf: all entries removed from csf.deny

9. Search for a pattern match on iptables e.g : IP, CIDR, Port Number

# csf -g 192.168.1.110

CSF Additional settings:
*********************

Port Flood Protection:

This is used to protect the server from port flood attacks, i.e, flooding the common ports with huge number of connections and thereby denying or hanging up the services listening to those ports.

With this option, we can set the maximum number of connections a port can connect to and the new connections after this limit will be blocked by the firewall. Syntax of PORTFLOOD field is as given below.

Syntax:

PORTFLOOD = “port;protocol;hit_count;interval_in_seconds”

You can add multiple ports separated by commas.

Here is an example for enabling port flood protection:

Ex: PORTFLOOD = “80;tcp;50;10”

This means that if the number of connections to port 80 exceeds 50 in ten seconds, all the new connections will be blocked.

Connection Limit Protection:

This option allows us to set maximum number of concurrent connections to a particular open port in the server from a single IP. This is intended for protection from denial of service attacks like DoS.

Syntax:

CONNLIMIT = “port;limit”

We can set connection limits for multiple ports separated by comma. Here is an example:

CONNLIMIT = “80;10,21;2”

This means, the maximum concurrent connections to port 80 (HTTP) from a single IP is 10 and to port 21 (FTP) per IP is 2.

Connection Tracking:

This option allows us to set maximum number of all connections from a single IP addresses to the server. If the total number of connections from thet IP address is greater than the set value then the offending IP address is blocked. This also provides protection against denial of service attacks like Dos attacks.

Here are the examples of CT options in the configuration:

CT_LIMIT = “100”

All IPs with more than 200 connections will be blocked.

CT_PERMANENT = “1”

IPs with excess connection limit will blocked permanently

CT_BLOCK_TIME = “3600”

This is to set the time period of the IP block for excessive connection limit. Above setting will block th eIP with excess connections for 3600 seconds or 1 hour.

CT_INTERVAL = “60”

This value sets the interval in seconds between the Connection Tracking scans and in the above example the scans will take place with 60 seconds.

These are the basic security settings. There are lot of advanced options like,

PACKET_FILTER – To drop invaid packets.

SYNFLOOD – To drop tcp SYN packet DOS attempts(Recommended only if you are under DoS attack)

ICMP_IN and ICMP_OUT – To Allow/Deny incoming and outgoing ping (ICMP) packets.

Syslog and RESTRICT_SYSLOG – To enable logging login failures to syslog and rsyslog, etc.