Step 1: Installing Required CSF Modules
Install required Perl modules for CSF script, otherwise you will see an error like libwww not being installed.
1 |
# yum install perl-libwww-perl |
Step 2: Downloading CSF
It’s very good idea to use /tmp directory when downloading or installing any new software’s. Use Wget command to download the CSF script.
1 2 |
# cd /tmp # wget http://www.configserver.com/free/csf.tgz |
Step 3: Removing Existing Firewall
Remove if you are using any other iptables firewall scripts like APF (Advanced Policy Firewall) or BFD (Brute Force Detection), because you should not run both the firewall scripts on same server otherwise they will conflict with each other horribly. So, to prevent such conflicts you must remove both the combination APF+BFD by running un-install script provided by CSF module.
1 |
# sh /tmp/csf/remove_apf_bfd.sh |
Step 4: Installing CSF
Once the download completes, extract the all the files using Tar command and change to newly created CSF directory. Then run the installer script to install it.
1 2 3 4 |
# cd /tmp # tar -xzf csf.tgz # cd csf # sh install.sh |
Step 5: Configuring CSF
The above script will install and starts CSF in a “Testing” mode. Which means it doesn’t fully protect your server from anything. To disable “Testing” mode you need to configure your CSF for TCP_IN, TCP_OUT, UDP_IN and UDP_OUT options that best suits your requirements. Open the file called /etc/csf/csf.conf and make following changes.
1 2 3 4 5 6 7 8 9 10 11 12 |
# Allow incoming TCP ports <strong>TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"</strong> # Allow outgoing TCP ports <strong>TCP_OUT = "20,21,22,25,53,80,110,113,443"</strong> # Allow incoming UDP ports <strong>UDP_IN = "20,21,53"</strong> # Allow outgoing UDP ports # To allow outgoing traceroute add 33434:33523 to this list <strong>UDP_OUT = "20,21,53,113,123"</strong> |
Once you happy with your CSF configuration, you can disable “Testing” mode by changing variable TESTING = “1” to TESTING = “0”. But before changing it, I highly recommend you to read complete CSF readme file at http://configserver.com/free/csf/readme.txt.
1 |
<strong>TESTING = "0"</strong> |
Step 6: Starting CSF
Now it’s ready to start the csf daemon and enable csf to start at reboot time.
1 2 |
# chkconfig --level 235 csf on # service csf restart |
Step 7: CSF Configuration Options and Usage
These following options are used to modify and control csf configuration. All the configuration files of csf are located under /etc/csf directory. If you modify any of the following files you will need to restart the csf daemon to take changes.
- csf.conf : The main configuration file for controlling CSF.
- csf.allow : The list of allowed IP’s and CIDR addresses on the firewall.
- csf.deny : The list of denied IP’s and CIDR addresses on the firewall.
- csf.ignore : The list of ignored IP’s and CIDR addresses on the firewall.
- csf.*ignore : The list of various ignore files of users, IP’s.
Step 8: CSF Commands and Options
Some of the common command line options to add or deny IP addresses. option -d is used to deny an IP address, option -a is used to allow an IP address and option -r is used to reload all rules.
1 2 3 |
# csf -d IPADDRESS # csf -a IPADDRESS # csf -r |
If in-case, you have forgotten csf commands, just type csf on the terminal you will get the list of all the options.
1 |
# csf |
That’s it, finally you have managed to installed and configured your firewall successfully. If you’re facing any trouble while installing just post your queries using our comment section below, we will love to solve all your queries.
Step 9: Remove CSF Firewall
If you would like to remove CSF firewall completely, just run the following script located under /etc/csf/uninstall.sh directory.
1 |
# /etc/csf/uninstall.sh |
The above command will erase CSF firewall completely with all the files and folders.
Source: tectmint