01 Apr2016

How to install ConfigServer firewall (CSF) on CentOS

Posted in Linux Software Tutorials

When it comes to powerful, easy to use Linux firewalls, ConfigServer firewall (CSF) must be one of the best that I've ever used. It can be installed and used on a standalone Linux server or you can integrate it with your cPanel, DirectAdmin or Webmin control panel. In this tutorial I will show you how to install CSF & configure it for the first time.

Step 1

We are going to install CSF on CentOS. The first step is to SSH into your server then download the software.

wget https://download.configserver.com/csf.tgz

If you do not have wget install, you can simply install it as follows.

yum -y install wget

Step 2

Extract the files.

tar -xvzf csf.tgz

Step 3

Enter the CSF directory and run the installer.

cd csf
sh install.sh

Once this process completes, CSF will be installed on your server. Yes, it is that easy.

Step 4

CSF will be in testing mode so you need to change that setting in the config file.

vi /etc/csf/csf.conf
Change TESTING = "1" to TESTING = "0"

Save & exit the config file then restart CSF.

csf -r

Well done. You now have a fully functioning firewall on your server but you still need to configure the allowed ports since you do not want all the default ports open on your server.

Step 5

Configure your ports & allow / deny ICMP (ping).

vi /etc/csf/csf.conf

Locate the port settings section.

# Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"

# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995"

# Allow incoming UDP ports
UDP_IN = "20,21,53"

# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = "20,21,53,113,123"

# Allow incoming PING
ICMP_IN = "1"

Remove all the ports you don't need and add your custom ports in the list. Finally, if you do not want to allow ICMP requests to your server, simply change that setting to 0.

Once you are done, save & exit the file and restart CSF (always restart CSF when you make changes in the config).

csf -r

Useful CSF File Locations

  • Main Config File: /etc/csf/csf.conf
  • Main Log File: /var/log/csf.log
  • IP Deny File: /etc/csf/csf.deny
  • IP Allow File: /etc/csf/csf.allow

Useful CSF Commands

  • Restart CSF: csf -r
  • Disable CSF: csf -x
  • Enable CSF: csf -e
  • Deny an IP: csf -d 1.1.1.1
  • Allow an IP: csf -a 1.1.1.1

It is worth going through the CSF config file and reading up about all the options available. Enjoy!