How to install and configure CSF on Fedora 34
To Install and configure CSF on Fedora 34
Config Server Firewall is a firewall configuration script designed to improve the server's security and to provide a user-friendly interface for managing firewall settings through a service called Login Failure Daemon, or LFD. The following tutorial will show you how to install CSF on Fedora 34.
Installation Procedure :
Step 1:Checking OS version by using following command\
[root@linuxhelp ~]# cat /etc/os-release
NAME=Fedora
VERSION="34 (Workstation Edition)"
ID=fedora
VERSION_ID=34
VERSION_CODENAME=""
PLATFORM_ID="platform:f34"
PRETTY_NAME="Fedora 34 (Workstation Edition)"
ANSI_COLOR="0;38;2;60;110;180"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:34"
HOME_URL="https://fedoraproject.org/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/34/system-administrators-guide/"
SUPPORT_URL="https://fedoraproject.org/wiki/Communicating_and_getting_help"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=34
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=34
PRIVACY_POLICY_URL="https://fedoraproject.org/wiki/Legal:PrivacyPolicy"
VARIANT="Workstation Edition"
VARIANT_ID=workstation
Step 2:Installing perl notch package by using following command
[root@linuxhelp ~]# dnf install perl-libwww-perl.noarch perl-Time-HiRes -y
Fedora Modular 34 - x86_64 - Updates 7.6 kB/s | 6.6 kB 00:00
Fedora 34 - x86_64 - Updates 8.5 kB/s | 7.0 kB 00:00
Fedora 34 - x86_64 - Updates 682 kB/s | 4.3 MB 00:06
MySQL 8.0 Community Server 24 kB/s | 2.6 kB 00:00
MySQL Connectors Community 77 kB/s | 2.6 kB 00:00
MySQL Tools Community 55 kB/s | 2.6 kB 00:00
Remi's Modular repository - Fedora 34 - x86_64 822 B/s | 858 B 00:01
Remi's Modular repository - Fedora 34 - x86_64 619 kB/s | 500 kB 00:00
Remi's RPM repository - Fedora 34 - x86_64 1.3 kB/s | 858 B 00:00
Remi's RPM repository - Fedora 34 - x86_64 2.8 MB/s | 2.8 MB 00:00
Dependencies resolved.
============================================================================================================================================
Package Architecture Version Repository Size
============================================================================================================================================
Installing:
perl-Time-HiRes x86_64 4:1.9764-460.fc34 fedora 58 k
perl-libwww-perl noarch 6.57-1.fc34 updates 201 k
Installing dependencies:
============================================================================================================================================
Install 26 Packages
Verifying : perl-WWW-RobotRules-6.02-28.fc34.noarch 26/26
Complete!
Step 3:Download CSF by by using wget command
[root@linuxhelp mnt]# wget https://download.configserver.com/csf.tgz
--2021-11-30 03:57:22-- https://download.configserver.com/csf.tgz
Resolving download.configserver.com (download.configserver.com)... 94.130.90.175
Connecting to download.configserver.com (download.configserver.com)|94.130.90.175|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2282088 (2.2M) [application/x-gzip]
Saving to: ‘csf.tgz’
csf.tgz 100%[================================================================>] 2.18M 1.70MB/s in 1.3s
2021-11-30 03:57:24 (1.70 MB/s) - ‘csf.tgz’ saved [2282088/2282088]
Step 4:Extracting the downloaded file by using tar command
[root@linuxhelp mnt]# tar -xvf csf.tgz
csf/
csf/ConfigServer/
csf/ConfigServer/AbuseIP.pm
csf/ConfigServer/CheckIP.pm
csf/ConfigServer/CloudFlare.pm
csf/ConfigServer/Config.pm
csf/ConfigServer/cseUI.pm
csf/ConfigServer/DisplayResellerUI.pm
csf/ConfigServer/DisplayUI.pm
csf/ConfigServer/GetEthDev.pm
csf/ConfigServer/GetIPs.pm
csf/ConfigServer/KillSSH.pm
csf/ConfigServer/Logger.pm
csf/ConfigServer/LookUpIP.pm
csf/ConfigServer/Messenger.pm
csf/ConfigServer/Ports.pm
csf/ConfigServer/RBLCheck.pm
csf/ConfigServer/RBLLookup.pm
csf/csf/bootstrap/fonts/glyphicons-halflings-regular.ttf
csf/csf/bootstrap/fonts/glyphicons-halflings-regular.woff
csf/csf/bootstrap/fonts/glyphicons-halflings-regular.woff2
csf/csf/bootstrap/js/
csf/csf/bootstrap/js/bootstrap.min.js
csf/csf/bootstrap-chosen.css
csf/csf/chosen-sprite.png
csf/csf/chosen-sprite@2x.png
csf/csf/chosen.min.css
csf/csf/chosen.min.js
csf/csf/configserver.css
csf/csf/csf-loader.gif
csf/csf/csf.svg
csf/csf/csf_small.png
csf/csf/jquery.min.js
csf/csf/LICENSE.txt
csf/csf/loader.gif
csf/csf/reseller_icon.svg
Step 5: Moving the extracted files to the following location
[root@linuxhelp mnt]# mv csf /usr/src/
Step 6:Changing to the following directory
[root@linuxhelp mnt]# cd /usr/src/csf/
Step 7: Long listing the files
[root@linuxhelp csf]# ls -la
total 2532
drwxr-xr-x 1 root root 4476 Nov 8 22:56 .
drwxr-xr-x. 1 root root 30 Nov 30 04:00 ..
-rw-r--r-- 1 root root 124 Feb 1 2013 accounttracking.txt
-rw-r--r-- 1 root root 181 Feb 1 2013 alert.txt
-rw-r--r-- 1 root root 1028 Feb 29 2020 apache.https.txt
-rw-r--r-- 1 root root 770 Feb 29 2020 apache.http.txt
-rw-r--r-- 1 root root 0 Feb 29 2020 apache.main.txt
-rw-r--r-- 1 root root 720 Feb 17 2018 upgrade.txt
-rw-r--r-- 1 root root 192 Feb 1 2013 usertracking.txt
drwxr-xr-x 1 root root 34 Nov 8 22:55 version
-rw-r--r-- 1 root root 5 Nov 8 22:20 version.txt
drwxr-xr-x 1 root root 48 Nov 8 22:55 vestacp
-rw-r--r-- 1 root root 129 Feb 1 2013 watchalert.txt
drwxr-xr-x 1 root root 6 Nov 8 22:55 webmin
-rw-r--r-- 1 root root 146 May 23 2013 webminalert.txt
-rw-r--r-- 1 root root 1225 Aug 12 2019 x-arf.txt
Step 8:Installing csf by using sh command
[root@linuxhelp csf]# sh install.sh
Selecting installer...
Running csf generic installer
Installing generic csf and lfd
Check we're running as root
mkdir: cannot create directory ‘/etc/csf’: File exists
'install.txt' -> '/etc/csf/install.txt'
Checking Perl modules...
Using configuration defaults
...Perl modules OK
'csf.rblconf' -> '/etc/csf/./csf.rblconf'
'usertracking.txt' -> '/usr/local/csf/tpl/./usertracking.txt'
Don't forget to:
1. Configure the following options in the csf configuration to suite your server: TCP_*, UDP_*
2. Restart csf and lfd
3. Set TESTING to 0 once you're happy with the firewall, lfd will not run until you do so
'lfd.service' -> '/usr/lib/systemd/system/lfd.service'
'csf.service' -> '/usr/lib/systemd/system/csf.service'
Created symlink /etc/systemd/system/multi-user.target.wants/csf.service → /usr/lib/systemd/system/csf.service.
Created symlink /etc/systemd/system/multi-user.target.wants/lfd.service → /usr/lib/systemd/system/lfd.service.
Created symlink /etc/systemd/system/firewalld.service → /dev/null.
'/etc/csf/csfwebmin.tgz' -> '/usr/local/csf/csfwebmin.tgz'
Installation Completed
Step 9:Configuring the CSF in CSF configuration file
[root@linuxhelp csf]# vim /etc/csf/csf.conf
Step 10:Starting the CSF Service
[root@linuxhelp csf]# systemctl start csf lfd
Step 11: Enabling the CSF Service to start on boot
[root@linuxhelp csf]# systemctl enable csf lfd
Step 12:Restart the CSF service by using following command
[root@linuxhelp csf]# csf -s
Flushing chain `INPUT'
ACCEPT icmpv6 opt in * out !lo ::/0 -> ::/0
ACCEPT all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all opt in !lo out * ::/0 -> ::/0 ctstate RELATED,ESTABLISHED
ACCEPT all opt in * out !lo ::/0 -> ::/0 ctstate RELATED,ESTABLISHED
csf: FASTSTART loading TCP_IN (IPv4)
csf: FASTSTART loading TCP6_IN (IPv6)
csf: FASTSTART loading TCP_OUT (IPv4)
csf: FASTSTART loading TCP6_OUT (IPv6)
csf: FASTSTART loading UDP_IN (IPv4)
csf: FASTSTART loading UDP6_IN (IPv6)
csf: FASTSTART loading UDP_OUT (IPv4)
csf: FASTSTART loading UDP6_OUT (IPv6)
ACCEPT all opt -- in lo out * 0.0.0.0/0 -> 0.0.0.0/0
ACCEPT all opt -- in * out lo 0.0.0.0/0 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
LOGDROPIN all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
ACCEPT all opt in lo out * ::/0 -> ::/0
ACCEPT all opt in * out lo ::/0 -> ::/0
LOGDROPOUT all opt in * out !lo ::/0 -> ::/0
LOGDROPIN all opt in !lo out * ::/0 -> ::/0
csf: FASTSTART loading DNS (IPv4)
csf: FASTSTART loading DNS (IPv6)
LOCALOUTPUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
LOCALINPUT all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
LOCALOUTPUT all opt in * out !lo ::/0 -> ::/0
LOCALINPUT all opt in !lo out * ::/0 -> ::/0
*WARNING* Binary location for [SENDMAIL] [/usr/sbin/sendmail] in /etc/csf/csf.conf is either incorrect, is not installed or is not executable
*WARNING* Missing or incorrect binary locations will break csf and lfd functionality
*WARNING* RESTRICT_SYSLOG is disabled. See SECURITY WARNING in /etc/csf/csf.conf.
Step 13 : Allowing an IP address to allow list
[root@linuxhelp csf]# csf -a 192.168.6.126
Adding 192.168.6.126 to csf.allow and iptables ACCEPT...
ACCEPT all opt -- in !lo out * 192.168.6.126 -> 0.0.0.0/0
ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.6.126
Step 14:Viewing allow list file
[root@linuxhelp csf]# vim /etc/csf/csf.allow
Step 15: Removing the an IP from allow list
[root@linuxhelp csf]# csf -ar 192.168.6.126
Removing rule...
ACCEPT all opt -- in !lo out * 192.168.6.126 -> 0.0.0.0/0
ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.6.126
Step 16: Adding an IP address to deny list
[root@linuxhelp csf]# csf -d 192.168.6.127
Adding 192.168.6.127 to csf.deny and iptables DROP...
DROP all opt -- in !lo out * 192.168.6.127 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.6.127
Step 17: Viewing deny list file
[root@linuxhelp csf]# vim /etc/csf/csf.deny
Step 18:Removing an IP address from deny list
[root@linuxhelp csf]# csf -dr 192.168.6.127
Removing rule...
DROP all opt -- in !lo out * 192.168.6.127 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.6.127
Step 19: Restarting CSF by using following command
[root@linuxhelp csf]# csf -r
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
Flushing chain `DENYIN'
Flushing chain `DENYOUT'
csf: FASTSTART loading UDP_OUT (IPv4)
csf: FASTSTART loading UDP6_OUT (IPv6)
ACCEPT all opt -- in lo out * 0.0.0.0/0 -> 0.0.0.0/0
ACCEPT all opt -- in * out lo 0.0.0.0/0 -> 0.0.0.0/0
LOCALOUTPUT all opt in * out !lo ::/0 -> ::/0
LOCALINPUT all opt in !lo out * ::/0 -> ::/0
*WARNING* Binary location for [SENDMAIL] [/usr/sbin/sendmail] in /etc/csf/csf.conf is either incorrect, is not installed or is not executable
*WARNING* Missing or incorrect binary locations will break csf and lfd functionality
By this installation and configuration of CSF on Fedora 34 comes to end
Q
How to add IP in CSF from the command?
A
To add ip in csf from the command line use
#csf -a mention_the_ipaddress
#csf -a mention_the_ipaddress
Q
What is the command to reload the CSF firewall?
A
The command to reload the CSF firewall is
# csf -r
# csf -r
Q
What is the CSF configuration file location?
A
The configuration file location of csf is /etc/csf/csf.conf
Q
What is Config Server Firewall (CSF)?
A
Config Server Firewall (CSF) is a free and Stateful Packet Inspection (SPI) firewall for most Linux distributions.
which is also a Login/Intrusion Detection for applications like SSH, SMTP, IMAP, Pop3,"su" command and etc.
which is also a Login/Intrusion Detection for applications like SSH, SMTP, IMAP, Pop3,"su" command and etc.
#csf -a mention_the_ipaddress