(Last Updated On: March 17, 2019)

How do I install and use CSF Firewall on RHEL / CentOS 8?. The first thing you do after installing your RHEL/CentOS 8 server is to configure firewall and harden server against any form of malicious access. The most popular firewall service used in RHEL based systems is Firewalld. ConfigServer Security & Firewall (CSF) is a powerful, open-source Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers.

Features of CSF

Here are the top features of ConfigServer Security & Firewall.

  • Straight-forward SPI iptables firewall script
  • Daemon process that checks for login authentication failures for openSSH, Mod_security failures, htpasswd, ftp, imap e.t.c.
  • Excessive connection blocking
  • BOGON packet protection
  • Directory and file watching
  • SYN Flood protection
  • IDS (Intrusion Detection System) – the last line of detection alerts you to changes to system and application binaries
  • Ping of death protection
  • Port Scan tracking and blocking
  • Port Flooding Detection – Per IP, per Port connection flooding detection and mitigation to help block DOS attacks
  • UI integration for Cpanel, Webmin, and DirectAdmin
  • Distributed Login Failure Attack detection
  • IPv6 Support with ip6tables
  • Integrated UI – no need for a separate Control Panel or Apache to use the csf configuration
  • Integrated with the CloudFlare Firewall
  • And lots more

Install CSF Firewall on RHEL / CentOS 8

If the system is not running critical applications, you can upgrade installed packages and do a reboot.

sudo dnf -y update

When done, install Perl.

sudo dnf -y install @perl

Check Perl version.

$ perl -v
This is perl 5, version 26, subversion 2 (v5.26.2) built for x86_64-linux-thread-multi
(with 52 registered patches, see perl -V for more detail)

Copyright 1987-2018, Larry Wall
Perl may be copied only under the terms of either the Artistic License or the
GNU General Public License, which may be found in the Perl 5 source kit.

Complete documentation for Perl, including FAQ lists, should be found on
this system using "man perl" or "perldoc perl". If you have access to the
Internet, point your browser at http://www.perl.org/, the Perl Home Page.

CSF is installed using an automation script. Download it using curl command.

curl -SL https://download.configserver.com/csf.tgz | tar -xzf -

Navigate into created folder – csf :

cd csf

Run installer.

sudo sh install.sh

See sample output below.

Test installation

$ sudo perl /usr/local/csf/bin/csftest.pl
Testing ip_tables/iptable_filter…OK
Testing ipt_LOG…OK
Testing ipt_multiport/xt_multiport…OK
Testing ipt_REJECT…OK
Testing ipt_state/xt_state…OK
Testing ipt_limit/xt_limit…OK
Testing ipt_recent…OK
Testing xt_connlimit…OK
Testing ipt_owner/xt_owner…OK
Testing iptable_nat/ipt_REDIRECT…OK
Testing iptable_nat/ipt_DNAT…OK
RESULT: csf should function on this server

Configure and Start CSF on RHEL / CentOS 8

We now have CSF installed on RHEL / CentOS 8. The main configuration file is /etc/csf/csf.conf. Modify this file to tune your firewall rules and policies. See sections below for allowed TCP and UDP ports.

Disable Testing.

sudo perl -pi -w -e "s/TESTING = \"1\"/TESTING = \"0\"/" /etc/csf/csf.conf

Ignore IP addresses on allow list.

sudo perl -pi -w -e "s/IGNORE_ALLOW = \"0\"/IGNORE_ALLOW = \"1\"/" /etc/csf/csf.conf

The installer will add systemd service files for you. You can start it by running.

sudo systemctl enable --now csf

Confirm service status.

$ sudo systemctl status csf 
● csf.service - ConfigServer Firewall & Security - csf
Loaded: loaded (/usr/lib/systemd/system/csf.service; enabled; vendor preset: disabled)
Active: active (exited) since Sun 2019-03-17 09:10:19 EAT; 10h ago
Main PID: 783 (code=exited, status=0/SUCCESS)
Tasks: 0 (limit: 11510)
Memory: 0B
CGroup: /system.slice/csf.service
Mar 17 09:10:19 rhel8.local csf[783]: ACCEPT all opt in * out lo ::/0 -> ::/0
Mar 17 09:10:19 rhel8.local csf[783]: LOGDROPOUT all opt in * out !lo ::/0 -> ::/0
Mar 17 09:10:19 rhel8.local csf[783]: LOGDROPIN all opt in !lo out * ::/0 -> ::/0
Mar 17 09:10:19 rhel8.local csf[783]: csf: FASTSTART loading DNS (IPv4)
Mar 17 09:10:19 rhel8.local csf[783]: csf: FASTSTART loading DNS (IPv6)
Mar 17 09:10:19 rhel8.local csf[783]: LOCALOUTPUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
Mar 17 09:10:19 rhel8.local csf[783]: LOCALINPUT all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
Mar 17 09:10:19 rhel8.local csf[783]: LOCALOUTPUT all opt in * out !lo ::/0 -> ::/0
Mar 17 09:10:19 rhel8.local csf[783]: LOCALINPUT all opt in !lo out * ::/0 -> ::/0
Mar 17 09:10:19 rhel8.local systemd[1]: Started ConfigServer Firewall & Security - csf.

CSF Usage examples

Block IP or Subnet

sudo csf -d 192.168.0.20 
sudo csf -d 192.168.0.0/24

Sample output:

Adding 192.168.0.20 to csf.deny and iptables DROP…
DROP all opt -- in !lo out * 192.168.0.20 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.0.20

Remove IP/Subnet from blocklist.

$ sudo csf -dr 192.168.0.20 
Removing rule…
DROP all opt -- in !lo out * 192.168.0.20 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.0.20

Allow an IP Address on the firewall.

$ sudo csf -a  192.168.15.15
Adding 192.168.15.15 to csf.allow and iptables ACCEPT…
ACCEPT all opt -- in !lo out * 192.168.15.15 -> 0.0.0.0/0
ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.15.15

Block certain country’s

Edit the line CC_DENY

# Each option is a comma separated list of CC's, e.g. "US,GB,DE"
CC_DENY = ""
CC_ALLOW = ""

See ports listening for connections.

$ sudo csf -p

Ports listening for external connections and the executables running behind them:
Port/Proto Open Conn  PID/User             Command Line                            Executable
22/tcp     4/6  4     (789/root)           /usr/sbin/sshd -D -oCiphers=aes256-g... /usr/sbin/sshd
80/tcp     4/6  -     (2580/root)          /usr/sbin/httpd -DFOREGROUND            /usr/sbin/httpd
80/tcp     4/6  -     (2583/apache)        /usr/sbin/httpd -DFOREGROUND            /usr/sbin/httpd
80/tcp     4/6  -     (2584/apache)        /usr/sbin/httpd -DFOREGROUND            /usr/sbin/httpd
80/tcp     4/6  -     (2585/apache)        /usr/sbin/httpd -DFOREGROUND            /usr/sbin/httpd
80/tcp     4/6  -     (2804/apache)        /usr/sbin/httpd -DFOREGROUND            /usr/sbin/httpd
443/tcp    4/6  -     (2580/root)          /usr/sbin/httpd -DFOREGROUND            /usr/sbin/httpd
443/tcp    4/6  -     (2583/apache)        /usr/sbin/httpd -DFOREGROUND            /usr/sbin/httpd
443/tcp    4/6  -     (2584/apache)        /usr/sbin/httpd -DFOREGROUND            /usr/sbin/httpd
443/tcp    4/6  -     (2585/apache)        /usr/sbin/httpd -DFOREGROUND            /usr/sbin/httpd
443/tcp    4/6  -     (2804/apache)        /usr/sbin/httpd -DFOREGROUND            /usr/sbin/httpd
3306/tcp   -/-  -     (2474/mysql)         /usr/libexec/mysqld --basedir=/usr      /usr/libexec/mysqld
68/udp     -/-  -     (761/root)           /usr/sbin/NetworkManager --no-daemon    /usr/sbin/NetworkManager
161/udp    -/-  -     (3129/root)          /usr/sbin/snmpd -LS0-6d -f              /usr/sbin/snmpd
323/udp    -/-  -     (768/chrony)         /usr/sbin/chronyd                       /usr/sbin/chronyd

Send an email when a user logs in via ssh

LF_SSH_EMAIL_ALERT = "1"

Set Alerts email

LF_ALERT_TO = "[email protected]"

Send emails to yourself about security checks.

csf -m [email protected]

Access CSF Web UI

CSF has integrated Web UI which can be used for configuration. Enable the UI on /etc/csf/csf.conf file.

UI = "1"

You can also set custom values for:

# Set this to the port that want to bind this service to
UI_PORT = "6666"

# Leave blank to bind to all IP addresses on the server
UI_IP = ""
UI_USER = "admin"
UI_PASS = "StrongAdminPassword"

Then add IP addresses to whitelist.

sudo echo "YOUR_IP_ADDRESS" >>  /etc/csf/ui/ui.allow

Start or restart lfd service

$ sudo systemctl enable --now lfd
$ systemctl status lfd
● lfd.service - ConfigServer Firewall & Security - lfd
Loaded: loaded (/usr/lib/systemd/system/lfd.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2019-03-17 20:05:10 EAT; 33s ago
Process: 21213 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)
Main PID: 21226 (lfd - sleeping)
Tasks: 1 (limit: 11510)
Memory: 392.1M
CGroup: /system.slice/lfd.service
└─21226 lfd - sleeping >
Mar 17 20:05:10 rhel8.local systemd[1]: Starting ConfigServer Firewall & Security - lfd…
Mar 17 20:05:10 rhel8.local systemd[1]: Started ConfigServer Firewall & Security - lfd.

Access CSF firewall on configured Port.

Also check:

How to Install and configure AIDE Host Based IDS on RHEL / CentOS 8

How to Install and Configure OPNSense Firewall

Algo VPN – Setup a personal IPSEC VPN in the Cloud