‍Config Server Security and Firewall (CSF) is an iptables-based firewall that provides high-level security to Linux systems. It utilizes stateful packet inspection (SPI) to protect against various threats and attacks. CSF offers a wide range of features, including IP blocking, port blocking, DDoS protection, rate limiting, connection tracking, and SSH login detection. It also includes tools for system and file integrity checking. With its user-friendly GUI dashboard, CSF can be easily managed and integrated with popular control panels like DirectAdmin, cPanel, Cyberpanel, Vesta, and Webmin. In this tutorial, we will walk you through the process of installing and configuring CSF on a Rocky Linux 9 server.

Prerequisites

Before we begin, make sure you have the following prerequisites in place:

• A server running Rocky Linux 9 with a minimum of 1 GB of RAM.
• A non-root user with sudo privileges.
• A Fully Qualified Domain Name (FQDN) pointing to your server.
• All packages and the system itself are up to date.

To update the system, run the following command:

sudo dnf update

Additionally, you will need to install a few essential packages required for the tutorial and CSF to run. Some of these packages may already be present on your server. Install them using the following command:

sudo dnf install wget curl nano unzip yum-utils policycoreutils-python-utils -y

Step 1 – Disable Firewalld Firewall

By default, Rocky Linux uses Firewalld Firewall. Before installing CSF, we need to disable Firewalld to prevent any interference. To check the status of Firewalld, run the following command:

sudo systemctl status firewalld

If Firewalld is active, stop and disable it using the following commands:

sudo systemctl stop firewalld
sudo systemctl disable firewalld

Step 2 – Install Required Perl Modules

CSF requires certain Perl modules to run. To install these modules, we first need to enable the EPEL repository. Run the following command to install the EPEL repository:

sudo dnf install epel-release

Once the EPEL repository is installed, install the required Perl modules using the following command:

sudo dnf install perl-core perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch perl-GDGraph -y

Step 3 – Download and Install CSF

CSF is not available in the Rocky Linux repository, so we need to install it manually. Follow the steps below to download and install CSF:

1. Download the latest version of the CSF archive from the CSF website using the following command:

wget https://download.configserver.com/csf.tgz

2. Extract the downloaded archive using the following command:

tar xzf csf.tgz

3. Switch to the extracted directory using the following command:

cd csf

4. Install CSF by running the installer script with root privileges:

sudo./install.sh

After the installation is complete, you should see the following output:

Don't forget to:
1. Configure the following options in the csf configuration to suit your server: TCP_*, UDP_*
2. Restart csf and lfd
3. Set TESTING to 0 once you're happy with the firewall, lfd will not run until you do so
'lfd.service' -> '/usr/lib/systemd/system/lfd.service'
'csf.service' -> '/usr/lib/systemd/system/csf.service'
Created symlink /etc/systemd/system/multi-user.target.wants/csf.service → /usr/lib/systemd/system/csf.service.
Created symlink /etc/systemd/system/multi-user.target.wants/lfd.service → /usr/lib/systemd/system/lfd.service.
Unit /etc/systemd/system/firewalld.service is masked, ignoring.
The unit files have no installation config (WantedBy=, RequiredBy=, Also=, Alias= settings in the [Install] section, and DefaultInstance= for template units). This means they are not meant to be enabled or disabled using systemctl.
Possible reasons for having this kind of units are:
• A unit may be statically enabled by being symlinked from another unit's .wants/ or .requires/ directory.
• A unit's purpose may be to act as a helper for some other unit which has a requirement dependency on it.
• A unit may be started when needed via activation (socket, path, timer, D-Bus, udev, scripted systemctl call, ...).
• In case of template units, the unit is meant to be enabled with some instance name specified.
'/etc/csf/csfwebmin.tgz' -> '/usr/local/csf/csfwebmin.tgz'
Installation Completed

To verify if the required iptables modules are available, run the following command:

sudo perl /usr/local/csf/bin/csftest.pl

The output should indicate that CSF should function correctly on your server.

To check the CSF version, run the following command:

sudo csf -v

The output should display the CSF version installed on your system.

Step 4 – Configure CSF

CSF stores its configuration in the /etc/csf/csf.conf file. Open the file for editing using the following command:

sudo nano /etc/csf/csf.conf

In the configuration file, you will find various options that can be customized to suit your needs. Let’s go through some of the commonly used settings:

• TESTING: By default, CSF runs in testing mode, which means it will not fully enforce its rules. Set the value of TESTING to 0 once you are satisfied with the firewall configuration.
• RESTRICT_SYSLOG: This option restricts access to the syslog/rsyslog files. Set its value to3 to limit access to the members of the RESTRICT_SYSLOG_GROUP. The default group contains root, mysql, rpc, daemon, dbus, and several cPanel and DirectAdmin users. You can add more users by editing the /etc/csf/csf.syslogusers file.

Once you have made the necessary configuration changes, save the file and exit the editor.

Step 5 – Configure Ports

CSF comes with default open ports configured in the /etc/csf/csf.conf file. By default, CSF allows incoming and outgoing traffic on various TCP and UDP ports. You can modify these ports according to your requirements.

To allow or block specific ports, edit the following variables in the configuration file:

• TCP_IN: This variable specifies the incoming TCP ports that are allowed. Modify the port numbers according to your needs.
• TCP_OUT: This variable specifies the outgoing TCP ports that are allowed. Modify the port numbers as required.
• UDP_IN: This variable specifies the incoming UDP ports that are allowed. Modify the port numbers if needed.
• UDP_OUT: This variable specifies the outgoing UDP ports that are allowed. Adjust the port numbers according to your requirements.

For example, if you want to allow incoming traffic on port 8080, modify the TCP_IN variable as follows:

TCP_IN = "20,21,22,25,53,853,80,110,143,443,465,587,993,995,8080"

Save the file after making the necessary changes.

It’s important to note that if you are using IPv6 for your services, you will need to configure the corresponding IPv6 ports as well. Modify the TCP6_IN, TCP6_OUT, UDP6_IN, and UDP6_OUT variables accordingly.

Step 6 – Additional CSF Settings

CSF provides additional settings that can be configured according to your specific needs. Let’s explore some of the commonly used options:

• ICMP_IN: This option determines whether to allow or deny ICMP requests to your server. Set the value to1 to allow ICMP requests, which are useful for availability checks. If you are hosting public services, it is recommended to allow ICMP requests.
• ICMPINLIMIT: This option sets the number of ICMP requests allowed from a single IP address within a specified time period. The default value is recommended, but you can adjust it if needed.
• DENYIPLIMIT: This option limits the number of IP addresses that can be blocked by CSF. If the number of blocked IPs exceeds this limit, CSF will unblock the oldest IP, which is the first entry in the /etc/csf/csf.deny file. Choose a value based on your server’s resources.
• DENYTEMPIP_LIMIT: This option is similar to DENY_IP_LIMIT, but it applies to temporary IP address blocks.
• PACKET_FILTER: This option filters invalid, unwanted, and illegal traffic packets.
• CONNLIMIT: This option limits the number of concurrent active connections allowed on a single port. You can set it based on your requirements. For example, to limit the number of concurrent connections on port 22 to 5 per IP address and on port 443 to 20 per IP address, you can use the following configuration:

CONNLIMIT = "22;5,443;20"

• PORTFLOOD: This option limits the number of connections per time interval that can be made to specific ports. For example, to block an IP address if more than 5 connections are established on port 22 using the TCP protocol within 250 seconds, you can use the following configuration:

PORTFLOOD = "22;tcp;5;250"

You can add more ports by separating them with commas.

After making the necessary changes, save the configuration file.

Step 7 – Allow and Block IP Addresses

Blocking and allowing IP addresses is one of the core functionalities of a firewall. CSF provides a simple way to block, allow, and ignore IP addresses using configuration files.

To block IP addresses, open the /etc/csf/csf.deny file in an editor:

sudo nano /etc/csf/csf.deny

Each IP address or IP range should be added on a separate line. For example, to block the IP address 1.2.3.4 and the IP range 2.3.0.0/16, add the following lines:

1.2.3.4
2.3.0.0/16

Save the file after adding the necessary IP addresses.

Similarly, to allow specific IP addresses, edit the /etc/csf/csf.allow file:

sudo nano /etc/csf/csf.allow

Add the allowed IP addresses to this file, each on a separate line, following the same format as the deny file.

Additionally, CSF provides an ignore file (/etc/csf/csf.ignore) to exclude specific IP addresses from firewall filters. Ignored IP addresses will only be blocked if they are listed in the deny file.

After making changes to the allow, deny, or ignore files, restart the firewall for the changes to take effect:

sudo csf -r

Step 8 – Protection against DDoS Attacks

CSF offers various features to protect against Distributed Denial of Service (DDoS) attacks. Let’s explore some of the configurations you can implement to enhance your server’s security.

SYN Flood Protection

A SYN flood is a type of DDoS attack where an attacker floods a server with a large number of SYN packets, exhausting system resources. CSF provides protection against SYN flood attacks. To enable SYN flood protection, make the following configuration changes in the /etc/csf/csf.conf file:

• Set SYNFLOOD to1 to enable SYN flood protection.
• Adjust SYNFLOOD_RATE to define the rate at which SYN packets are allowed. The default value is 100/s.
• Modify SYNFLOOD_BURST to set the maximum number of allowed SYN packets within a specified time period. The default value is 150.

Save the file after making the changes.

Blocklists

CSF integrates with various IP-based blocklists to prevent connections from malicious IP addresses. CSF includes pre-configured blocklists, such as Spamhaus, Project Honey Pot, BruteForceBlocker, Blocklist.de, Stop Forum Spam, and more.

To enable a specific blocklist, open the /etc/csf/csf.blocklists file:

sudo nano /etc/csf/csf.blocklists

Uncomment the desired blocklist section by removing the # at the beginning of the line. Each blocklist section includes a URL from which CSF will download the IP addresses to block.

For example, to enable the Spamhaus blocklists, uncomment the following lines:

# Spamhaus Don't Route Or Peer List (DROP)
# Details: http://www.spamhaus.org/drop/
#SPAMDROP|86400|0|http://www.spamhaus.org/drop/drop.txt

# Spamhaus IPv6 Don't Route Or Peer List (DROPv6)
# Details: http://www.spamhaus.org/drop/
#SPAMDROPV6|86400|0|https://www.spamhaus.org/drop/dropv6.txt

# Spamhaus Extended DROP List (EDROP)
# Details: http://www.spamhaus.org/drop/
#SPAMEDROP|86400|0|http://www.spamhaus.org/drop/edrop.txt

Save the file after uncommenting the desired blocklists.

Country Level Blocking

CSF allows you to block access from specific countries by using IP geolocation databases. By blocking traffic from countries known for launching DDoS attacks or hosting malicious actors, you can enhance your server’s security.

CSF supports two methods for matching IP addresses to countries:

• Default Method: This method uses free IP geolocation databases such as DB-IP, ipdeny.com, and iptoasn.com. Although these databases do not require a license key, they may be less accurate.
• MaxMind Method: This method requires a MaxMind license key and offers more accurate country-level blocking. MaxMind provides a free license key that you can obtain from their website.

To enable country-level blocking, modify the following variables in the /etc/csf/csf.conf file:

• CC_SRC: Set this variable to1 to enable country-level blocking.
• MMLICENSEKEY: If you have a MaxMind license key, enter it in this variable.

For example, to enable country-level blocking and block IP addresses from Russia, add the following configuration:

CC_SRC = "1"
CC_DENY = "RU"

Save the file after making the changes.

To allow connections only from specific countries, use the following configuration:

CC_ALLOW_FILTER = "IN,GB"

This configuration allows connections only from India and the United Kingdom (UK). You can add more countries by separating them with commas.

Remember to save the file after making the changes.

Finally, restart the firewall for the changes to take effect:

sudo csf -r

CSF provides additional ways to prevent DDoS attacks, such as port flooding and connection limits. Refer to the CSF documentation for more information on configuring these features.

Step 9 – Commonly Used CSF Commands

CSF provides a set of useful commands to manage the firewall. Here are some commonly used commands:

• Enable CSF: This command enables and starts CSF:

sudo csf -e

• Disable CSF: This command disables CSF:

sudo csf -x

• Start Firewall: This command starts the CSF firewall rules:

sudo csf -s

• Stop Firewall: This command flushes and stops the CSF firewall rules:

sudo csf -f

• Restart Firewall: This command restarts the CSF firewall:

sudo csf -r

• Block IP Address: This command adds an IP address to the temporary ban list:

sudo csf -td <IP_ADDRESS>

• Unblock IP Address: This command removes an IP address from the temporary ban list:

sudo csf -tr <IP_ADDRESS>

• Remove all IP Address Blocks: This command deletes all IP addresses from the temporary ban list:

sudo csf -tf

• Allow IP Address: This command allows an IP address:

sudo csf -a <IP_ADDRESS>

• Remove IP Address from Allow List: This command removes an IP address from the allow list:

sudo csf -ar <IP_ADDRESS>

• Search for IP Address: This command searches the iptables and ip6tables rules for an IP address, CIDR, or port number:

sudo csf -g <IP_ADDRESS_OR_PORT>

These are just a few examples of the commands available in CSF. Refer to the CSF documentation for a comprehensive list of commands and their usage.

Step 10 – Enable CSF GUI

CSF comes with a web-based GUI panel that allows for easy management of the firewall. By default, the GUI is disabled. To enable the GUI, perform the following steps:

1. Install the necessary Perl modules by running the following command:

sudo dnf install perl-IO-Socket-SSL.noarch perl-Net-SSLeay perl-IO-Socket-INET6 perl-Socket6 -y

2. Open the CSF configuration file for editing:

sudo nano /etc/csf/csf.conf

3. Find the line UI = "0" and change its value to UI = "1".
4. Change the port at which the web panel is accessible. By default, CSF uses port 6666, but this port is often blocked by web browsers. Choose a port number greater than 1024. For example, we will use port 1037:

UI_PORT = "1037"

5. If you want to allow only specific IP addresses to access the web panel, set the UI_IP variable to the desired IP address. Leave it blank to allow access from all IP addresses:

UI_IP = ""

6. Configure the credentials for the web panel by setting the UI_USER and UI_PASS variables. Choose a strong username and password combination:

UI_USER = "your_username"
UI_PASS = "your_password"

7. If you want to allow access from all IP addresses, you can modify the UI_ALLOW variable to 0:

UI_ALLOW = "0"

8. Save the file after making the changes.
9. To apply the changes, restart the CSF and LFD services:

sudo systemctl restart csf lfd

The CSF GUI should now be accessible via the following URL: https://your_domain_or_IP:1037. Replace your_domain_or_IP with your server’s domain name or IP address.

Step 11 – Install and Configure Let’s Encrypt SSL

CSF’s web panel uses self-signed certificates by default. However, you can also use Let’s Encrypt SSL certificates to secure the web panel. To install and configure Let’s Encrypt SSL, follow the steps below:

1. Install certbot using the Snap package manager. If Snapd is not installed on your system, follow the instructions provided by the Snapd documentation.

sudo snap install core && sudo snap refresh core
sudo ln- s /var/lib/snapd/snap/snap
echo 'export PATH=$PATH:/var/lib/snapd/snap/bin' | sudo tee -a /etc/profile.d/snapd.sh
sudo dnf install snapd -y

2. Enable and start the Snap service:

sudo systemctl enable --now snapd.socket

3. Install Certbot using Snap:

sudo snap install --classic certbot

4. Ensure that the Certbot command is accessible by creating a symbolic link:

sudo ln -s /snap/bin/certbot /usr/bin/certbot

5. Verify the installation by checking the Certbot version:

certbot --version

6. Generate an SSL certificate for the CSF web panel domain. Replace csf.example.com with your domain name:

sudo certbot certonly --standalone --agree-tos --no-eff-email --staple-ocsp --preferred-challenges http -m your_email@example.com -d csf.example.com

7. After the certificate is generated, rename the self-signed certificates:

sudo mv /etc/csf/ui/server.crt /etc/csf/ui/server.crt.old
sudo mv /etc/csf/ui/server.key /etc/csf/ui/server.key.old

8. Copy the Let’s Encrypt SSL certificates to the /etc/csf/ui directory:

sudo cp /etc/letsencrypt/live/csf.example.com/fullchain.pem /etc/csf/ui/server.crt
sudo cp /etc/letsencrypt/live/csf.example.com/privkey.pem /etc/csf/ui/server.key

Make sure to replace csf.example.com with your domain name.

9. Restart the CSF and LFD services for the changes to take effect:

sudo systemctl restart csf lfd

10. To automate the certificate renewal process, create a script to copy the renewed certificates:

sudo nano /etc/csf/certcopy.sh

11. In the script, add the following lines:

#!/bin/sh
cp -f /etc/letsencrypt/live/csf.example.com/fullchain.pem /etc/csf/ui/server.crt
cp -f /etc/letsencrypt/live/csf.example.com/privkey.pem /etc/csf/ui/server.key

Make sure to replace csf.example.com with your domain name.

12. Save the file and make it executable:

sudo chmod +x /etc/csf/certcopy.sh

13. Open the Certbot renewal configuration file:

sudo nano /etc/letsencrypt/renewal/csf.example.com.conf

14. Add the following line at the bottom to execute the script after each certificate renewal:

post_hook=/etc/csf/certcopy.sh

Make sure to replace csf.example.com with your domain name.

15. Save the file and exit the editor.
16. Verify the Certbot renewal scheduler service:

sudo systemctl list-timers

You should see snap.certbot.renew.service as one of the services scheduled to run.

17. Perform a dry run of the certificate renewal process to check if it is working correctly:

sudo certbot renew --dry-run

If there are no errors, your certificates will be automatically renewed according to the renewal schedule.

Step 12 – Access CSF Web Panel

Once the CSF web panel is enabled and configured, you can access it using a web browser.

1. Open your web browser and enter the following URL, replacing csf.example.com with your domain name or server’s IP address:

https://csf.example.com:1037

2. You will be presented with a login page. Enter the credentials you configured earlier and click the “Enter” button.
3. You will now have access to the CSF web panel, where you can manage and monitor the firewall settings.

Step 13 – Uninstall CSF

If you need to uninstall CSF for any reason, you can run the uninstaller script provided by CSF.

1. Run the following command to execute the uninstaller script:

sudo sh /etc/csf/uninstall.sh

2. Confirm the uninstallation when prompted.

CSF will be removed from your system, and all related files and configurations will be deleted.

Conclusion

In this tutorial, we have covered the installation and configuration of Config Server Firewall (CSF) on a Rocky Linux 9 server. We have explored various steps, including disabling the Firewalld firewall, installing required Perl modules, downloading and installing CSF, configuring the firewall, enabling the CSF GUI, and securing the web panel with Let’s Encrypt SSL certificates. With CSF in place, you can enhance the security of your Rocky Linux server and protect it against various threats and attacks. Remember to regularly update CSF and monitor its logs for any suspicious activity.

If you need reliable and scalable cloud hosting solutions, consider Shape.host’s Linux SSD VPS services. Shape.host offers high-performance virtual private servers powered by solid-state drives (SSDs), ensuring fast and efficient hosting for your applications. With Shape.host, you can focus on your business while leaving the infrastructure management to the experts. Visit Shape.host for more information.