To Install and configure CSF on Fedora 34

Config Server Firewall is a firewall configuration script designed to improve the server's security and to provide a user-friendly interface for managing firewall settings through a service called Login Failure Daemon, or LFD. The following tutorial will show you how to install CSF on Fedora 34.

Installation Procedure :

Step 1:Checking OS version by using following command\

 [root@linuxhelp ~]# cat /etc/os-release
NAME=Fedora
VERSION="34 (Workstation Edition)"
ID=fedora
VERSION_ID=34
VERSION_CODENAME=""
PLATFORM_ID="platform:f34"
PRETTY_NAME="Fedora 34 (Workstation Edition)"
ANSI_COLOR="0;38;2;60;110;180"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:34"
HOME_URL="https://fedoraproject.org/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/34/system-administrators-guide/"
SUPPORT_URL="https://fedoraproject.org/wiki/Communicating_and_getting_help"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=34
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=34
PRIVACY_POLICY_URL="https://fedoraproject.org/wiki/Legal:PrivacyPolicy"
VARIANT="Workstation Edition"
VARIANT_ID=workstation

Step 2:Installing perl notch package by using following command

 [root@linuxhelp ~]# dnf install perl-libwww-perl.noarch perl-Time-HiRes -y
Fedora Modular 34 - x86_64 - Updates                                                                        7.6 kB/s | 6.6 kB     00:00    
Fedora 34 - x86_64 - Updates                                                                                8.5 kB/s | 7.0 kB     00:00    
Fedora 34 - x86_64 - Updates                                                                                682 kB/s | 4.3 MB     00:06    
MySQL 8.0 Community Server                                                                                   24 kB/s | 2.6 kB     00:00    
MySQL Connectors Community                                                                                   77 kB/s | 2.6 kB     00:00    
MySQL Tools Community                                                                                        55 kB/s | 2.6 kB     00:00    
Remi's Modular repository - Fedora 34 - x86_64                                                              822  B/s | 858  B     00:01    
Remi's Modular repository - Fedora 34 - x86_64                                                              619 kB/s | 500 kB     00:00    
Remi's RPM repository - Fedora 34 - x86_64                                                                  1.3 kB/s | 858  B     00:00    
Remi's RPM repository - Fedora 34 - x86_64                                                                  2.8 MB/s | 2.8 MB     00:00    
Dependencies resolved.
============================================================================================================================================
 Package                                    Architecture              Version                              Repository                  Size
============================================================================================================================================
Installing:
 perl-Time-HiRes                            x86_64                    4:1.9764-460.fc34                    fedora                      58 k
 perl-libwww-perl                           noarch                    6.57-1.fc34                          updates                    201 k
Installing dependencies:
============================================================================================================================================
Install  26 Packages

  Verifying        : perl-WWW-RobotRules-6.02-28.fc34.noarch                                                                          26/26 

Complete!

Step 3:Download CSF by by using wget command

[root@linuxhelp mnt]# wget https://download.configserver.com/csf.tgz
--2021-11-30 03:57:22--  https://download.configserver.com/csf.tgz
Resolving download.configserver.com (download.configserver.com)... 94.130.90.175
Connecting to download.configserver.com (download.configserver.com)|94.130.90.175|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2282088 (2.2M) [application/x-gzip]
Saving to: ‘csf.tgz’

csf.tgz                            100%[================================================================>]   2.18M  1.70MB/s    in 1.3s    

2021-11-30 03:57:24 (1.70 MB/s) - ‘csf.tgz’ saved [2282088/2282088]

Step 4:Extracting the downloaded file by using tar command

[root@linuxhelp mnt]# tar -xvf csf.tgz
csf/
csf/ConfigServer/
csf/ConfigServer/AbuseIP.pm
csf/ConfigServer/CheckIP.pm
csf/ConfigServer/CloudFlare.pm
csf/ConfigServer/Config.pm
csf/ConfigServer/cseUI.pm
csf/ConfigServer/DisplayResellerUI.pm
csf/ConfigServer/DisplayUI.pm
csf/ConfigServer/GetEthDev.pm
csf/ConfigServer/GetIPs.pm
csf/ConfigServer/KillSSH.pm
csf/ConfigServer/Logger.pm
csf/ConfigServer/LookUpIP.pm
csf/ConfigServer/Messenger.pm
csf/ConfigServer/Ports.pm
csf/ConfigServer/RBLCheck.pm
csf/ConfigServer/RBLLookup.pm
csf/csf/bootstrap/fonts/glyphicons-halflings-regular.ttf
csf/csf/bootstrap/fonts/glyphicons-halflings-regular.woff
csf/csf/bootstrap/fonts/glyphicons-halflings-regular.woff2
csf/csf/bootstrap/js/
csf/csf/bootstrap/js/bootstrap.min.js
csf/csf/bootstrap-chosen.css
csf/csf/chosen-sprite.png
csf/csf/chosen-sprite@2x.png
csf/csf/chosen.min.css
csf/csf/chosen.min.js
csf/csf/configserver.css
csf/csf/csf-loader.gif
csf/csf/csf.svg
csf/csf/csf_small.png
csf/csf/jquery.min.js
csf/csf/LICENSE.txt
csf/csf/loader.gif
csf/csf/reseller_icon.svg

Step 5: Moving the extracted files to the following location

 [root@linuxhelp mnt]# mv csf /usr/src/

Step 6:Changing to the following directory

 [root@linuxhelp mnt]# cd /usr/src/csf/

Step 7: Long listing the files

 [root@linuxhelp csf]# ls -la
total 2532
drwxr-xr-x  1 root root   4476 Nov  8 22:56 .
drwxr-xr-x. 1 root root     30 Nov 30 04:00 ..
-rw-r--r--  1 root root    124 Feb  1  2013 accounttracking.txt
-rw-r--r--  1 root root    181 Feb  1  2013 alert.txt
-rw-r--r--  1 root root   1028 Feb 29  2020 apache.https.txt
-rw-r--r--  1 root root    770 Feb 29  2020 apache.http.txt
-rw-r--r--  1 root root      0 Feb 29  2020 apache.main.txt
-rw-r--r--  1 root root    720 Feb 17  2018 upgrade.txt
-rw-r--r--  1 root root    192 Feb  1  2013 usertracking.txt
drwxr-xr-x  1 root root     34 Nov  8 22:55 version
-rw-r--r--  1 root root      5 Nov  8 22:20 version.txt
drwxr-xr-x  1 root root     48 Nov  8 22:55 vestacp
-rw-r--r--  1 root root    129 Feb  1  2013 watchalert.txt
drwxr-xr-x  1 root root      6 Nov  8 22:55 webmin
-rw-r--r--  1 root root    146 May 23  2013 webminalert.txt
-rw-r--r--  1 root root   1225 Aug 12  2019 x-arf.txt

Step 8:Installing csf by using sh command

[root@linuxhelp csf]# sh install.sh 

Selecting installer...

Running csf generic installer

Installing generic csf and lfd

Check we're running as root

mkdir: cannot create directory ‘/etc/csf’: File exists
'install.txt' -> '/etc/csf/install.txt'
Checking Perl modules...
Using configuration defaults
...Perl modules OK
'csf.rblconf' -> '/etc/csf/./csf.rblconf'
'usertracking.txt' -> '/usr/local/csf/tpl/./usertracking.txt'

Don't forget to:
1. Configure the following options in the csf configuration to suite your server: TCP_*, UDP_*
2. Restart csf and lfd
3. Set TESTING to 0 once you're happy with the firewall, lfd will not run until you do so
'lfd.service' -> '/usr/lib/systemd/system/lfd.service'
'csf.service' -> '/usr/lib/systemd/system/csf.service'
Created symlink /etc/systemd/system/multi-user.target.wants/csf.service → /usr/lib/systemd/system/csf.service.
Created symlink /etc/systemd/system/multi-user.target.wants/lfd.service → /usr/lib/systemd/system/lfd.service.
Created symlink /etc/systemd/system/firewalld.service → /dev/null.
'/etc/csf/csfwebmin.tgz' -> '/usr/local/csf/csfwebmin.tgz'

Installation Completed

Step 9:Configuring the CSF in CSF configuration file

 [root@linuxhelp csf]# vim /etc/csf/csf.conf

Step 10:Starting the CSF Service

 [root@linuxhelp csf]# systemctl start csf lfd

Step 11: Enabling the CSF Service to start on boot

[root@linuxhelp csf]# systemctl enable csf lfd

Step 12:Restart the CSF service by using following command

 [root@linuxhelp csf]# csf -s
Flushing chain `INPUT'
ACCEPT  icmpv6 opt    in * out !lo  ::/0  -> ::/0  
ACCEPT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0   ctstate RELATED,ESTABLISHED
ACCEPT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0   ctstate RELATED,ESTABLISHED
ACCEPT  all opt    in !lo out *  ::/0  -> ::/0   ctstate RELATED,ESTABLISHED
ACCEPT  all opt    in * out !lo  ::/0  -> ::/0   ctstate RELATED,ESTABLISHED
csf: FASTSTART loading TCP_IN (IPv4)
csf: FASTSTART loading TCP6_IN (IPv6)
csf: FASTSTART loading TCP_OUT (IPv4)
csf: FASTSTART loading TCP6_OUT (IPv6)
csf: FASTSTART loading UDP_IN (IPv4)
csf: FASTSTART loading UDP6_IN (IPv6)
csf: FASTSTART loading UDP_OUT (IPv4)
csf: FASTSTART loading UDP6_OUT (IPv6)
ACCEPT  all opt -- in lo out *  0.0.0.0/0  -> 0.0.0.0/0  
ACCEPT  all opt -- in * out lo  0.0.0.0/0  -> 0.0.0.0/0  
LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  
LOGDROPIN  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  
ACCEPT  all opt    in lo out *  ::/0  -> ::/0  
ACCEPT  all opt    in * out lo  ::/0  -> ::/0  
LOGDROPOUT  all opt    in * out !lo  ::/0  -> ::/0  
LOGDROPIN  all opt    in !lo out *  ::/0  -> ::/0  
csf: FASTSTART loading DNS (IPv4)
csf: FASTSTART loading DNS (IPv6)
LOCALOUTPUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  
LOCALINPUT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  
LOCALOUTPUT  all opt    in * out !lo  ::/0  -> ::/0  
LOCALINPUT  all opt    in !lo out *  ::/0  -> ::/0  
*WARNING* Binary location for [SENDMAIL] [/usr/sbin/sendmail] in /etc/csf/csf.conf is either incorrect, is not installed or is not executable
*WARNING* Missing or incorrect binary locations will break csf and lfd functionality

*WARNING* RESTRICT_SYSLOG is disabled. See SECURITY WARNING in /etc/csf/csf.conf.

Step 13 : Allowing an IP address to allow list

 [root@linuxhelp csf]# csf -a 192.168.6.126
Adding 192.168.6.126 to csf.allow and iptables ACCEPT...
ACCEPT  all opt -- in !lo out *  192.168.6.126  -> 0.0.0.0/0  
ACCEPT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.6.126  

Step 14:Viewing allow list file

 [root@linuxhelp csf]# vim /etc/csf/csf.allow

 [root@linuxhelp csf]# csf -ar 192.168.6.126
Removing rule...
ACCEPT  all opt -- in !lo out *  192.168.6.126  -> 0.0.0.0/0  
ACCEPT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.6.126  

[root@linuxhelp csf]# csf -d 192.168.6.127
Adding 192.168.6.127 to csf.deny and iptables DROP...
DROP  all opt -- in !lo out *  192.168.6.127  -> 0.0.0.0/0  
LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.6.127  

 [root@linuxhelp csf]# vim /etc/csf/csf.deny

 [root@linuxhelp csf]# csf -dr 192.168.6.127
Removing rule...
DROP  all opt -- in !lo out *  192.168.6.127  -> 0.0.0.0/0  
LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.6.127  

 [root@linuxhelp csf]# csf -r
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
Flushing chain `DENYIN'
Flushing chain `DENYOUT'
csf: FASTSTART loading UDP_OUT (IPv4)
csf: FASTSTART loading UDP6_OUT (IPv6)
ACCEPT  all opt -- in lo out *  0.0.0.0/0  -> 0.0.0.0/0  
ACCEPT  all opt -- in * out lo  0.0.0.0/0  -> 0.0.0.0/0  
LOCALOUTPUT  all opt    in * out !lo  ::/0  -> ::/0  
LOCALINPUT  all opt    in !lo out *  ::/0  -> ::/0  
*WARNING* Binary location for [SENDMAIL] [/usr/sbin/sendmail] in /etc/csf/csf.conf is either incorrect, is not installed or is not executable
*WARNING* Missing or incorrect binary locations will break csf and lfd functionality