install and configure csf on almalinux

How to Install and Configure CSF on AlmaLinux

Guides, Tutorials
Spread the love

In this tutorial we are going to install and explain in step-by-step detail how to configure CSF on AlmaLinux OS.

Config Server Firewall or CSF is a free and advanced firewall for most Linux distributions. CSF can be easily installed on a server with control panels such as DirectAdmin, WHM/cPanel and etc. It includes security features such as login, intrusion, flood detections, and many more. With CSF we can easily block IP addresses, whitelist IP addresses, open and close ports and etc.

Installing and configuring CSF on AlmaLinux is a straightforward process that may take up to 10 minutes. Let’s get started!

Prerequisites

  • A server with AlmaLinux 20.04 as OS
  • User privileges: root or non-root user with sudo privileges

Step 1. Update the System

Before we install the CSF we need to update the system packages to the latest version available.

sudo dnf update -y && sudo dnf upgrade -y

Step 2. Download and Install CSF

Install some prerequisites before you download and install CSF

sudo dnf install epel-release -y

sudo dnf install iptables perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch perl-GDGraph wget tar perl-Math-BigInt -y

Then download the CSF file.

cd /usr/src 

wget https://download.configserver.com/csf.tgz

Once downloaded, extract the csf file with the following command:

tar zxvf csf.tgz

Once extracted enter in the csf directory and execute the script for installation.

cd csf/

sh install.sh

After successfull installation you should receive the following output:

Don't forget to:
1. Configure the following options in the csf configuration to suite your server: TCP_*, UDP_*
2. Restart csf and lfd
3. Set TESTING to 0 once you're happy with the firewall, lfd will not run until you do so

Adding current SSH session IP address to the csf whitelist in csf.allow:
Can't locate lib.pm in @INC (you may need to install the lib module) (@INC contains: /usr/local/lib64/perl5/5.32 /usr/local/share/perl5/5.32 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5) at /usr/sbin/csf line 10.
BEGIN failed--compilation aborted at /usr/sbin/csf line 10.
'lfd.service' -> '/usr/lib/systemd/system/lfd.service'
'csf.service' -> '/usr/lib/systemd/system/csf.service'
Created symlink /etc/systemd/system/multi-user.target.wants/csf.service → /usr/lib/systemd/system/csf.service.
Created symlink /etc/systemd/system/multi-user.target.wants/lfd.service → /usr/lib/systemd/system/lfd.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Created symlink /etc/systemd/system/firewalld.service → /dev/null.
'/etc/csf/csfwebmin.tgz' -> '/usr/local/csf/csfwebmin.tgz'

Installation Completed

As you can see the first message is a reminder that the CSF is not configured. Before we configure CSF, we can check if the required iptables modules are installed. Execute the command below:

sudo perl /usr/local/csf/bin/csftest.pl

If everything is OK, you should receive the following output:

[root@host csf]# sudo perl /usr/local/csf/bin/csftest.pl
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

RESULT: csf should function on this server

Step 3. Manage the CSF service

In the previous step we downloaded and installed the CSF. After that, we confirmed that the iptables modules are loaded. Next is to start and enable the CSF service.

To start and enable the CSF service execute the commands below:

sudo systemctl start csf.service && sudo systemctl enable csf.service

To check the status of the CSF service:

sudo systemctl status csf.service

You should receive the following output:

[root@host csf]# sudo systemctl status csf
● csf.service - ConfigServer Firewall & Security - csf
   Loaded: loaded (/usr/lib/systemd/system/csf.service; enabled; vendor preset: disabled)
   Active: active (exited) since Mon 2022-08-08 17:13:49 EDT; 5s ago
 Main PID: 6595 (code=exited, status=0/SUCCESS)
    Tasks: 0 (limit: 23666)
   Memory: 0B
   CGroup: /system.slice/csf.service

Aug 08 17:13:49 host.test.vps csf[6595]: csf: FASTSTART loading UDP_IN (IPv4)
Aug 08 17:13:49 host.test.vps csf[6595]: csf: FASTSTART loading UDP_OUT (IPv4)
Aug 08 17:13:49 host.test.vps csf[6595]: ACCEPT  all opt -- in lo out *  0.0.0.0/0  -> 0.0.0.0/0
Aug 08 17:13:49 host.test.vps csf[6595]: ACCEPT  all opt -- in * out lo  0.0.0.0/0  -> 0.0.0.0/0
Aug 08 17:13:49 host.test.vps csf[6595]: LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0
Aug 08 17:13:49 host.test.vps csf[6595]: LOGDROPIN  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
Aug 08 17:13:49 host.test.vps csf[6595]: csf: FASTSTART loading DNS (IPv4)
Aug 08 17:13:49 host.test.vps csf[6595]: LOCALOUTPUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0
Aug 08 17:13:49 host.test.vps csf[6595]: LOCALINPUT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
Aug 08 17:13:49 host.test.vps systemd[1]: Started ConfigServer Firewall & Security - csf.

Step 4. Configuring CSF

In Step 2. we received the following output after the installation process:

1. Configure the following options in the csf configuration to suite your server: TCP_*, UDP_*
2. Restart csf and lfd
3. Set TESTING to 0 once you're happy with the firewall, lfd will not run until you do so.

First add the following ports for TCP in /etc/csf.conf

# Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"

# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995"

Next, set Testing to 0

# lfd will not start while this is enabled
TESTING = "0"

End the last is to start the ldf service and restart the CSF for the changes to take effectivity

sudo systemctl start lfd.service

sudo systemctl restart csf.service

Check the status of the lfd service

sudo systemctl status lfd.service

You should receive the following output:

[root@host csf]# systemctl status lfd
● lfd.service - ConfigServer Firewall & Security - lfd
   Loaded: loaded (/usr/lib/systemd/system/lfd.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2022-08-08 17:31:26 EDT; 13s ago
  Process: 6961 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)
 Main PID: 6970 (lfd - sleeping)
    Tasks: 1 (limit: 23666)
   Memory: 124.2M
   CGroup: /system.slice/lfd.service
           └─6970 lfd - sleeping

Step 5. Basic CSF commands

This is the last step of our tutorial about CSF and in this paragraph we will show you some basic CSF commands.

Enable CSF

csf -e

Whitelist IP address in CSF

csf -a 192.168.1.1

Block IP address in CSF

csf -d 192.168.1.2

Displays the current list of temporary allow and deny IP entries with their TTL and comments

csf -t

Restart CSF

csf -r

Disable CSF

csf -x

That’s it. You successfully installed and configured CSF on AlmaLinux OS. Also, you learned the most used CSF commands in no time. If you find any difficulties with this setup you can always contact our technical support and we will help you immediately. We are available 24/7. You just need to sign up for one of our NVMe VPS plans and submit a support ticket.

If you liked this about installing and configuring CSF on AlmaLinux, please share it with your friends on the social networks using the buttons on the left or simply leave a reply below.

Leave a Reply

Your email address will not be published. Required fields are marked *