Although the default firewall in CentOS is powerful, there's a more flexible option available. Jack Wallen walks you through the steps for installing Config Server Firewall.
If you're looking to up your security game with CentOS 7, you might want to consider installing Config Server Firewall (CSF). With this particular security package you not only get a firewall, but login/intrusion detection that will alert you to the likes of someone attempting an ssh login or usage of the su command as well as any failed login attempt on a mail and various other servers (such as OpenSSH and FTP).
Thing is, CSF isn't installed by default. Fortunately, the installation isn't terribly challenging. Let's do just that and then set it as the default firewall and then some basic configuration.
Because you cannot install CSF from the standard repositories, you must take care of this task manually. Fortunately, the dependencies can all be installed via the yum command like so:
sudo yum install wget perl-libwww-perl.noarch perl-Time-HiRes
Once that installation completes, we can download the CSF source and install. Here are the steps:
- Open a terminal window
- Change into the /tmp directory with the command cd /tmp
- Download the source with the command sudo wget https://download.configserver.com/csf.tgz
- Unpack the file with the command sudo tar -xvzf cfs.tgz
- Change into the newly created directory with the command cd csf
- Install the software with the command sudo sh install.sh
When the installation successfully finishes, you will see Installation Completed before being returned to your bash prompt. CSF is ready to go.
Testing the installation
Before we move on, let's test the installation. For this you will need to su to the root user (by issuing the command su). Once you are root, change into the CSF bin directory with the command cd /usr/local/csf/bin and then issue the command sudo perl cfstest.pl. If the test succeeds, you'll see the output shown in Figure A.
Set CSF as the default
In order to run CSF, we must first disable the default firewall as a service and then enable CSF as a service. To do this, go back to your terminal window and issue the following commands:
sudo systemctl stop firewalld sudo systemctl disable firewalld
Now change into the /etc/csf directory and open up the csf.conf file for editing. Locate the line (near the top) TESTING = and make sure it is set to "0" and not "1". Save and close that file. Next we start both the CFS and Login Failure Daemon (LFD) services with the commands:
sudo systemctl start csf sudo systemctl start lfd
Finally, we enable the above services (so they will automatically start at boot), with the commands:
sudo systemctl enable csf sudo systemctl enable lfd
The last thing you will want to do is configure an email address for the sending of login failure alerts. Open up the /etc/csf/csf.conf file for editing and look for the line:
LF_ALERT_TO = ""
Add the necessary email address between the quotes and save/close that file. Once you've done that, restart CSF with the command sudo csf -r.
That's it, the Config Server Firewall is now running on your system.
Here are some quick samples of what you can do with CSF.
Start the firewall:
sudo csf -s
Flush the firewall rules:
sudo csf -f
Reload the firewall:
sudo csf -r
Allow and add a specific IP address:
sudo csf -a 192.168.1.101
Remove a previously allowed IP address:
sudo csf -ar 192.168.1.101
Block and add a specific IP address:
sudo csf -d 192.168.1.101
Remove a previously denied IP address:
sudo csf -dr 192.168.1.101
Find out more
The best way to learn more about how to use CSF is by issuing the command sudo csf --help. This will output all of the possible options available to the command. If you happen to make use of Webmin, cPanel, or CentOS Web Panel, you'll also find a handy, web-based interface that will help you further configure CSF.
- How to enable https on Apache CentOS (TechRepublic)
- How to create a new domain account with CENTOS Webpanel (TechRepublic)
- How to protect secure shell on CentOS 7 with Fail2ban (TechRepublic)
- How to install Advanced Intrusion Detection Environment on CentOS (TechRepublic)
- Popular CentOS Linux server gets a major refresh (ZDNet)