In this tutorial we are going to install and explain in step-by-step detail how to configure CSF on AlmaLinux OS.
Config Server Firewall or CSF is a free and advanced firewall for most Linux distributions. CSF can be easily installed on a server with control panels such as DirectAdmin, WHM/cPanel and etc. It includes security features such as login, intrusion, flood detections, and many more. With CSF we can easily block IP addresses, whitelist IP addresses, open and close ports and etc.
Installing and configuring CSF on AlmaLinux is a straightforward process that may take up to 10 minutes. Let’s get started!
Prerequisites
- A server with AlmaLinux 20.04 as OS
- User privileges: root or non-root user with sudo privileges
Step 1. Update the System
Before we install the CSF we need to update the system packages to the latest version available.
sudo dnf update -y && sudo dnf upgrade -y
Step 2. Download and Install CSF
Install some prerequisites before you download and install CSF
sudo dnf install epel-release -y sudo dnf install iptables perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch perl-GDGraph wget tar perl-Math-BigInt -y
Then download the CSF file.
cd /usr/src wget https://download.configserver.com/csf.tgz
Once downloaded, extract the csf file with the following command:
tar zxvf csf.tgz
Once extracted enter in the csf directory and execute the script for installation.
cd csf/ sh install.sh
After successfull installation you should receive the following output:
Don't forget to: 1. Configure the following options in the csf configuration to suite your server: TCP_*, UDP_* 2. Restart csf and lfd 3. Set TESTING to 0 once you're happy with the firewall, lfd will not run until you do so Adding current SSH session IP address to the csf whitelist in csf.allow: Can't locate lib.pm in @INC (you may need to install the lib module) (@INC contains: /usr/local/lib64/perl5/5.32 /usr/local/share/perl5/5.32 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5) at /usr/sbin/csf line 10. BEGIN failed--compilation aborted at /usr/sbin/csf line 10. 'lfd.service' -> '/usr/lib/systemd/system/lfd.service' 'csf.service' -> '/usr/lib/systemd/system/csf.service' Created symlink /etc/systemd/system/multi-user.target.wants/csf.service → /usr/lib/systemd/system/csf.service. Created symlink /etc/systemd/system/multi-user.target.wants/lfd.service → /usr/lib/systemd/system/lfd.service. Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. Removed /etc/systemd/system/multi-user.target.wants/firewalld.service. Created symlink /etc/systemd/system/firewalld.service → /dev/null. '/etc/csf/csfwebmin.tgz' -> '/usr/local/csf/csfwebmin.tgz' Installation Completed
As you can see the first message is a reminder that the CSF is not configured. Before we configure CSF, we can check if the required iptables modules are installed. Execute the command below:
sudo perl /usr/local/csf/bin/csftest.pl
If everything is OK, you should receive the following output:
[root@host csf]# sudo perl /usr/local/csf/bin/csftest.pl Testing ip_tables/iptable_filter...OK Testing ipt_LOG...OK Testing ipt_multiport/xt_multiport...OK Testing ipt_REJECT...OK Testing ipt_state/xt_state...OK Testing ipt_limit/xt_limit...OK Testing ipt_recent...OK Testing xt_connlimit...OK Testing ipt_owner/xt_owner...OK Testing iptable_nat/ipt_REDIRECT...OK Testing iptable_nat/ipt_DNAT...OK RESULT: csf should function on this server
Step 3. Manage the CSF service
In the previous step we downloaded and installed the CSF. After that, we confirmed that the iptables modules are loaded. Next is to start and enable the CSF service.
To start and enable the CSF service execute the commands below:
sudo systemctl start csf.service && sudo systemctl enable csf.service
To check the status of the CSF service:
sudo systemctl status csf.service
You should receive the following output:
[root@host csf]# sudo systemctl status csf ● csf.service - ConfigServer Firewall & Security - csf Loaded: loaded (/usr/lib/systemd/system/csf.service; enabled; vendor preset: disabled) Active: active (exited) since Mon 2022-08-08 17:13:49 EDT; 5s ago Main PID: 6595 (code=exited, status=0/SUCCESS) Tasks: 0 (limit: 23666) Memory: 0B CGroup: /system.slice/csf.service Aug 08 17:13:49 host.test.vps csf[6595]: csf: FASTSTART loading UDP_IN (IPv4) Aug 08 17:13:49 host.test.vps csf[6595]: csf: FASTSTART loading UDP_OUT (IPv4) Aug 08 17:13:49 host.test.vps csf[6595]: ACCEPT all opt -- in lo out * 0.0.0.0/0 -> 0.0.0.0/0 Aug 08 17:13:49 host.test.vps csf[6595]: ACCEPT all opt -- in * out lo 0.0.0.0/0 -> 0.0.0.0/0 Aug 08 17:13:49 host.test.vps csf[6595]: LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 Aug 08 17:13:49 host.test.vps csf[6595]: LOGDROPIN all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 Aug 08 17:13:49 host.test.vps csf[6595]: csf: FASTSTART loading DNS (IPv4) Aug 08 17:13:49 host.test.vps csf[6595]: LOCALOUTPUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 Aug 08 17:13:49 host.test.vps csf[6595]: LOCALINPUT all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 Aug 08 17:13:49 host.test.vps systemd[1]: Started ConfigServer Firewall & Security - csf.
Step 4. Configuring CSF
In Step 2. we received the following output after the installation process:
1. Configure the following options in the csf configuration to suite your server: TCP_*, UDP_* 2. Restart csf and lfd 3. Set TESTING to 0 once you're happy with the firewall, lfd will not run until you do so.
First add the following ports for TCP in /etc/csf.conf
# Allow incoming TCP ports TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995" # Allow outgoing TCP ports TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995"
Next, set Testing to 0
# lfd will not start while this is enabled TESTING = "0"
End the last is to start the ldf service and restart the CSF for the changes to take effectivity
sudo systemctl start lfd.service sudo systemctl restart csf.service
Check the status of the lfd service
sudo systemctl status lfd.service
You should receive the following output:
[root@host csf]# systemctl status lfd ● lfd.service - ConfigServer Firewall & Security - lfd Loaded: loaded (/usr/lib/systemd/system/lfd.service; enabled; vendor preset: disabled) Active: active (running) since Mon 2022-08-08 17:31:26 EDT; 13s ago Process: 6961 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS) Main PID: 6970 (lfd - sleeping) Tasks: 1 (limit: 23666) Memory: 124.2M CGroup: /system.slice/lfd.service └─6970 lfd - sleeping
Step 5. Basic CSF commands
This is the last step of our tutorial about CSF and in this paragraph we will show you some basic CSF commands.
Enable CSF
csf -e
Whitelist IP address in CSF
csf -a 192.168.1.1
Block IP address in CSF
csf -d 192.168.1.2
Displays the current list of temporary allow and deny IP entries with their TTL and comments
csf -t
Restart CSF
csf -r
Disable CSF
csf -x
That’s it. You successfully installed and configured CSF on AlmaLinux OS. Also, you learned the most used CSF commands in no time. If you find any difficulties with this setup you can always contact our technical support and we will help you immediately. We are available 24/7. You just need to sign up for one of our NVMe VPS plans and submit a support ticket.
If you liked this about installing and configuring CSF on AlmaLinux, please share it with your friends on the social networks using the buttons on the left or simply leave a reply below.