Security

How to install Config Server Firewall on CentOS 7

Although the default firewall in CentOS is powerful, there's a more flexible option available. Jack Wallen walks you through the steps for installing Config Server Firewall.

Image: Jack Wallen

If you're looking to up your security game with CentOS 7, you might want to consider installing Config Server Firewall (CSF). With this particular security package you not only get a firewall, but login/intrusion detection that will alert you to the likes of someone attempting an ssh login or usage of the su command as well as any failed login attempt on a mail and various other servers (such as OpenSSH and FTP).

Thing is, CSF isn't installed by default. Fortunately, the installation isn't terribly challenging. Let's do just that and then set it as the default firewall and then some basic configuration.

Installation

Because you cannot install CSF from the standard repositories, you must take care of this task manually. Fortunately, the dependencies can all be installed via the yum command like so:

sudo yum install wget perl-libwww-perl.noarch perl-Time-HiRes

Once that installation completes, we can download the CSF source and install. Here are the steps:

  1. Open a terminal window
  2. Change into the /tmp directory with the command cd /tmp
  3. Download the source with the command sudo wget https://download.configserver.com/csf.tgz
  4. Unpack the file with the command sudo tar -xvzf cfs.tgz
  5. Change into the newly created directory with the command cd csf
  6. Install the software with the command sudo sh install.sh

When the installation successfully finishes, you will see Installation Completed before being returned to your bash prompt. CSF is ready to go.

Testing the installation

Before we move on, let's test the installation. For this you will need to su to the root user (by issuing the command su). Once you are root, change into the CSF bin directory with the command cd /usr/local/csf/bin and then issue the command sudo perl cfstest.pl. If the test succeeds, you'll see the output shown in Figure A.

Figure A

Figure A

A successful run of the CSF test.

Set CSF as the default

In order to run CSF, we must first disable the default firewall as a service and then enable CSF as a service. To do this, go back to your terminal window and issue the following commands:

sudo systemctl stop firewalld
​sudo systemctl disable firewalld

Now change into the /etc/csf directory and open up the csf.conf file for editing. Locate the line (near the top) TESTING = and make sure it is set to "0" and not "1". Save and close that file. Next we start both the CFS and Login Failure Daemon (LFD) services with the commands:

sudo systemctl start csf
​sudo systemctl start lfd

Finally, we enable the above services (so they will automatically start at boot), with the commands:

sudo systemctl enable csf
​sudo systemctl enable lfd

The last thing you will want to do is configure an email address for the sending of login failure alerts. Open up the /etc/csf/csf.conf file for editing and look for the line:

LF_ALERT_TO = ""

Add the necessary email address between the quotes and save/close that file. Once you've done that, restart CSF with the command sudo csf -r.

That's it, the Config Server Firewall is now running on your system.

Example commands

Here are some quick samples of what you can do with CSF.

Start the firewall:

sudo csf -s

Flush the firewall rules:

sudo csf -f

Reload the firewall:

sudo csf -r

Allow and add a specific IP address:

sudo csf -a 192.168.1.101

Remove a previously allowed IP address:

sudo csf -ar 192.168.1.101

Block and add a specific IP address:

sudo csf -d 192.168.1.101

Remove a previously denied IP address:

sudo csf -dr 192.168.1.101

Find out more

The best way to learn more about how to use CSF is by issuing the command sudo csf —help. This will output all of the possible options available to the command. If you happen to make use of Webmin, cPanel, or CentOS Web Panel, you'll also find a handy, web-based interface that will help you further configure CSF.

Also see

About Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.

Editor's Picks

Free Newsletters, In your Inbox