How to Install and Configure CSF on Rocky Linux 8.6
To Install And Configure CSF On Rocky Linux 8.6
Introduction:
CSF Stands for ConfigServer Firewall. CSF is a firewall software developed to keep your server safe. It comes with an advanced web-based interface to manage firewall settings.CSF includes other security features, including login/intrusion/flood detections.
Installation steps
Step 1: Check the OS version by using the below command
[root@linuxhelp ~]# cat /etc/os-release
NAME="Rocky Linux"
VERSION="8.6 (Green Obsidian)"
ID="rocky"
ID_LIKE="rhel centos fedora"
VERSION_ID="8.6"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Rocky Linux 8.6 (Green Obsidian)"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:rocky:rocky:8:GA"
HOME_URL="https://rockylinux.org/"
BUG_REPORT_URL="https://bugs.rockylinux.org/"
ROCKY_SUPPORT_PRODUCT="Rocky Linux"
ROCKY_SUPPORT_PRODUCT_VERSION="8"
REDHAT_SUPPORT_PRODUCT="Rocky Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="8"
Step 2: Now install the CSF Dependency by using the below command
[root@linuxhelp ~]# yum install perl-libwww-perl.noarch perl-Time-HiRes
Rocky Linux 8 - AppStream 5.6 MB/s | 9.6 MB 00:01
Rocky Linux 8 - BaseOS 4.7 MB/s | 6.7 MB 00:01
Rocky Linux 8 - Extras 9.5 kB/s | 11 kB 00:01
Dependencies resolved.
============================================================================================================
Package Arch Version Repository Size
============================================================================================================
Installing:
perl-Time-HiRes x86_64 4:1.9758-2.el8 appstream 60 k
perl-libwww-perl noarch 6.34-1.module+el8.6.0+965+850557f9 appstream 211 k
Installing dependencies:
perl-Compress-Raw-Bzip2 x86_64 2.081-1.el8 baseos 39 k
perl-Compress-Raw-Zlib x86_64 2.081-1.el8 baseos 67 k
perl-Data-Dump noarch 1.23-7.module+el8.6.0+965+850557f9 appstream 36 k
perl-Digest-HMAC noarch 1.03-17.module+el8.6.0+965+850557f9 appstream 19 k
perl-Digest-SHA x86_64 1:6.02-1.el8 appstream 65 k
perl-Encode-Locale noarch 1.05-10.module+el8.6.0+965+850557f9 appstream 21 k
perl-File-Listing noarch 6.04-17.module+el8.6.0+965+850557f9 appstream 17 k
perl-HTML-Parser x86_64 3.72-15.module+el8.6.0+965+850557f9 appstream 118 k
perl-HTML-Tagset noarch 3.20-34.module+el8.6.0+965+850557f9 appstream 23 k
perl-HTTP-Cookies noarch 6.04-2.module+el8.6.0+965+850557f9 appstream 38 k
perl-HTTP-Date noarch 6.02-19.module+el8.6.0+965+850557f9 appstream 18 k
perl-HTTP-Message noarch 6.18-1.module+el8.6.0+965+850557f9 appstream 99 k
perl-HTTP-Negotiate noarch 6.01-19.module+el8.6.0+965+850557f9 appstream 21 k
perl-IO-Compress noarch 2.081-1.el8 baseos 257 k
perl-IO-HTML noarch 1.001-11.module+el8.6.0+965+850557f9 appstream 27 k
perl-LWP-MediaTypes noarch 6.02-15.module+el8.6.0+965+850557f9 appstream 28 k
perl-NTLM noarch 1.09-17.module+el8.6.0+965+850557f9 appstream 23 k
perl-Net-HTTP noarch 6.17-2.module+el8.6.0+965+850557f9 appstream 42 k
perl-TimeDate noarch 1:2.30-15.module+el8.6.0+965+850557f9 appstream 52 k
perl-Try-Tiny noarch 0.30-7.module+el8.6.0+965+850557f9 appstream 44 k
perl-WWW-RobotRules noarch 6.02-18.module+el8.6.0+965+850557f9 appstream 22 k
Step 3: Download the CSF package by using the below command
[root@linuxhelp Downloads]# wget https://download.configserver.com/csf.tgz
--2022-08-31 17:54:02-- https://download.configserver.com/csf.tgz
Resolving download.configserver.com (download.configserver.com)... 94.130.90.175
Connecting to download.configserver.com (download.configserver.com)|94.130.90.175|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2283647 (2.2M) [application/x-gzip]
Saving to: ‘csf.tgz’
csf.tgz 100%[========================================>] 2.18M 2.04MB/s in 1.1s
2022-08-31 17:54:04 (2.04 MB/s) - ‘csf.tgz’ saved [2283647/2283647]
Step4: Extract the download Package by using the below command
[root@linuxhelp Downloads]# tar -xvf csf.tgz
csf/
csf/ConfigServer/
csf/ConfigServer/AbuseIP.pm
csf/ConfigServer/CheckIP.pm
csf/ConfigServer/CloudFlare.pm
csf/ConfigServer/Config.pm
csf/ConfigServer/cseUI.pm
csf/ConfigServer/DisplayResellerUI.pm
csf/ConfigServer/DisplayUI.pm
csf/ConfigServer/GetEthDev.pm
csf/ConfigServer/GetIPs.pm
csf/ConfigServer/KillSSH.pm
csf/ConfigServer/Logger.pm
csf/ConfigServer/LookUpIP.pm
Step 5: Change the directory CSF by using the below command
[root@linuxhelp Downloads]# cd csf
Step 6: Now install the CSF using shell script by using the below command
[root@linuxhelp csf]# sh install.sh
Selecting installer...
Running csf generic installer
Installing generic csf and lfd
Check we're running as root
mkdir: created directory '/etc/csf'
'install.txt' -> '/etc/csf/install.txt'
Checking Perl modules...
Using configuration defaults
...Perl modules OK
mkdir: cannot create directory ‘/etc/csf’: File exists
mkdir: created directory '/var/lib/csf'
mkdir: created directory '/var/lib/csf/backup'
mkdir: created directory '/var/lib/csf/Geo'
mkdir: created directory '/var/lib/csf/ui'
mkdir: created directory '/var/lib/csf/stats'
mkdir: created directory '/var/lib/csf/lock'
mkdir: created directory '/var/lib/csf/webmin'
mkdir: created directory '/var/lib/csf/zone'
mkdir: created directory '/usr/local/csf'
mkdir: created directory '/usr/local/csf/bin'
mkdir: created directory '/usr/local/csf/lib'
mkdir: created directory '/usr/local/csf/tpl'
'csf.generic.conf' -> '/etc/csf/csf.conf'
'csf.generic.allow' -> '/etc/csf/csf.allow'
'csf.deny' -> '/etc/csf/./csf.deny'
'csf.redirect' -> '/etc/csf/./csf.redirect'
'csf.resellers' -> '/etc/csf/./csf.resellers'
Step 7: Disable the firewalld Services by using the below command
[root@linuxhelp csf]# systemctl disable firewalld
Unit /etc/systemd/system/firewalld.service is masked, ignoring.
Step 8: Stop the Firewalld Services by using the below command
[root@linuxhelp csf]# systemctl stop firewalld
Step 9: Change the following directory by using the below command
[root@linuxhelp csf]# cd /usr/local/csf/bin/
Step 10: Run the command to check CSF working or not by using the below command
[root@linuxhelp bin]# perl csftest.pl
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK
RESULT: csf should function on this server
Step 11: Change Testing “1” to Testing “0” in configuration by using the below command
[root@linuxhelp bin]# vim /etc/csf/csf.conf
Step 12: Enable the both CSF and IFD Services by using the below command
[root@linuxhelp bin]# systemctl enable csf lfd
Step 13: Start the both CSF and IFD Services by using the below command
[root@linuxhelp bin]# systemctl start csf.service lfd.service
Step 14: Start the CSF by using the below command
[root@linuxhelp bin]# csf -s
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `LOGDROPIN'
Flushing chain `LOGDROPOUT'
Flushing chain `DENYIN'
Flushing chain `DENYOUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
Flushing chain `LOCALINPUT'
Flushing chain `LOCALOUTPUT'
Step 15: Allow the IP using CSF by using the below command
[root@linuxhelp bin]# csf -a 192.168.6.110
Adding 192.168.6.110 to csf.allow and iptables ACCEPT...
ACCEPT all opt -- in !lo out * 192.168.6.110 -> 0.0.0.0/0
ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.6.110
Step 16: Check the allowed IP list by using the below command
[root@linuxhelp bin]# vim /etc/csf/csf.allow
Step 17: Remove the allowed from CSF by using the below command
[root@linuxhelp bin]# csf -ar 192.168.6.110
Removing rule...
ACCEPT all opt -- in !lo out * 192.168.6.110 -> 0.0.0.0/0
ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.6.110
Step 18: Deny the IP using CSF by using the below command
[root@linuxhelp bin]# csf -d 192.168.6.120
Adding 192.168.6.120 to csf.deny and iptables DROP...
DROP all opt -- in !lo out * 192.168.6.120 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.6.120
Step 19: Check the deny IP list by using the below command
[root@linuxhelp bin]# vim /etc/csf/csf.deny
Step 20: Remove the deny IP using CSF by using the below command
[root@linuxhelp bin]# csf -dr 192.168.6.120
Removing rule...
DROP all opt -- in !lo out * 192.168.6.120 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.6.120
Step 21: Restart the CSF by using the below command
[root@linuxhelp bin]# csf -r
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `LOGDROPIN'
Flushing chain `LOGDROPOUT'
Flushing chain `DENYIN'
Flushing chain `DENYOUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
Flushing chain `LOCALINPUT'
Flushing chain `LOCALOUTPUT'
Flushing chain `INVDROP'
Flushing chain `INVALID'
Deleting chain `LOGDROPIN'
Conclusion:
We have reached the end of this article. In this guide, we have walked you through the steps required to Install and configure CSF on Rocky Linux 8.6. Your feedback is much welcome.
Q
How do you restart the CSF?
A
Restart the CSF by csf -r
Q
How do you install the CSF package?
A
To install the CSF package execute the following command.sh install.sh
Q
Where Firewalld services are stored?
A
It is stored in various XML files in /usr/lib/firewalld/ and /etc/firewalld
Q
What are iptables rules?
A
iptables is a command-line interface used to set up and maintain tables for the Netfilter firewall for IPv4
Q
How should start CSF Services?
A
By using the systemctl enable csf command