Securing CentOS 7 VPS with CSF for Newbie

Easy guide for newbie how to install or setup ConfigServer Security and Firewall package on CentOS 7 VPS. That’s why I always do my best to put screenshot pics on every tutorial / guide in this blog. And for this time, I will show you a step-by-step guide on CSF installation to secure your server running CentOS 7.

A Glance about CSF

Known as CSF for short, CSF stands for ConfigServer Security and Firewall which is an opensource software firewall application used widely on many Linux platform. The software is developed by Way to the Web Limited under Open Source license (read: Free).

How it works? CSF configures your server’s firewall to lock down any public access to services and only allow certain connections. You can allow or deny or block connections for specific ports you want.

Being so popular, even many hosting control panels are made compatible with it. Say it cPanel, Webmin, VestaCP and more.

CSF Key Features

Straight-forward SPI iptables firewall script
Daemon process that checks for login authentication failures for:
– Courier imap, Dovecot, uw-imap, Kerio
– openSSH
– cPanel, WHM, Webmail (cPanel servers only)
– Pure-ftpd, vsftpd, Proftpd
– Password protected web pages (htpasswd)
– Mod_security failures (v1 and v2)
– Suhosin failures
– Exim SMTP AUTH
– Custom login failures with separate log file and regular expression matching
POP3/IMAP login tracking to enforce logins per hour
SSH login notification
SU login notification
Excessive connection blocking
UI Integration for cPanel, DirectAdmin and Webmin
Easy upgrade between versions from shell
Auto-configures the SSH port if it’s non-standard on installation
Block traffic on unused server IP addresses
Alert when end-user scripts sending excessive emails per hour
Suspicious process reporting
Excessive user processes reporting
Excessive user process usage reporting and optional termination
Suspicious file reporting
Directory and file watching
Block traffic on the DShield Block List and the Spamhaus DROP List
BOGON packet protection
Works with multiple ethernet devices
Server Security Check
Allow Dynamic DNS IP addresses
and many more!

Prerequisites

1. A SSH client like Putty and basic knowledge about how to use it.
2. Basic knowledge about common Unix command to SSH to your server.
3. A server or VPS with at least 256MB of RAM (512MB recommended). If you not already have one then you can read my list of recommended VPS providers or these top low end cloud server providers. Quick recommendation: Atlantic.net, Digital Ocean and RamNode.
4. Make sure your server is running CentOS 7 or RHEL 7.
5. About 15 minutes of your time
6. a cup of coffee or tea.

How to Install CSF on CentOS 7

Step 1 – Login to your server as root or as a user with root privilege:

Step 2 – In case if firewall already comes built-in with your CentOS installation, then stop its service with this command:

systemctl disable firewalld
systemctl stop firewalld

The output will simply be like this:

Step 3 – Then install iptables via yum command:

yum -y install iptables-services

screenshot:

Step 4 – Create necessary files which are needed by ip-tables.

touch /etc/sysconfig/iptables
touch /etc/sysconfig/iptables6

sample output:

Step 5 – You can now safely start iptables service using sytemctl command:

systemctl start iptables
systemctl start ip6tables

sample output:

Step 6 – To make sure iptables service always runs each time your server reboot, then do this:

systemctl enable iptables
systemctl enable ip6tables

screenshot:

Step 7 – Install dependencies and/or modules needed by CSF. These modules are required for Statistical Graphs available from the csf UI.

yum install wget perl unzip net-tools perl-libwww-perl perl-LWP-Protocol-https perl-GDGraph -y

Once done, you’ll see something like this:

Step 8 – Then now download the latest CSF package from the official download link:

cd /opt
wget https://download.configserver.com/csf.tgz

pic:

Step 9 – Extract the newly downloaded CSF package:

tar -xzf csf.tgz
cd csf

pic:

Step 10 – Install CSF with this simple command:

sh install.sh

the process should take seconds and once done, it should look like this:

Step 11 – It is installed now and you can safely delete installation files and folders:

rm -rf /opt/csf
rm /opt/csf.tgz

pic:

Step 12 – Do not forget to firstly test if CSF can really work on your CentOS server:

perl /usr/local/csf/bin/csftest.pl

output should look like this:

CSF Configuration on CentOS 7

Step 1 – CSF puts all its configuration in a file located at /etc/csf/csf.conf. So edit that file using your favorite text editor (like Nano). Alter or configure the TCP_IN, TCP_OUT, UDP_IN and UDP_OUT options in the csf configuration to suite your server and your need:

nano /etc/csf/csf.conf

Once text editor opens, it will show configuration page like this:

Step 2 – Change this basic configuration:

You can see all allowed ports at TCP and UDP in / out. It means all other ports will be disallowed. For example, I changed default SSH port from 22 to 21500, then I have to add 21500 in TCP ports (in and out):

Step 3 – Go through the configuration file completely and make the changes as per your requirement. Once you made all changes, enable CSF, by changing the line TESTING=”1″ to TESTING=”0″ in the csf.conf file.

save changes and exit the editor which in Nano it is Control+O then Control+X.

Step 4 – Restart CSF service:

systemctl restart csf.service

That’s it.

Important files:

1. csf.conf: The main configuration file, it has helpful comments explaining what each option does.
2. csf.allow: A list of IP’s and CIDR addresses that should always be allowed through the firewall.
3. csf.deny: A list of IP’s and CIDR addresses that should never be allowed through the firewall.
4. csf.ignore: A list of IP’s and CIDR addresses that lfd should ignore and not not block if detected.
5. csf.*ignore: Various ignore files that list files, users, IP’s that lfd should ignore. See each file for their specific purpose and tax.

Enjoy and be always safe!