How to Install and Configure CSF on Oracle Linux 8.5
- 00:34 cat /etc/os-release
- 00:50 yum install perl-libwww-perl.noarch perl-Time-HiRes
- 01:01 wget https://download.configserver.com/csf.tgz
- 01:12 tar -xvf csf.tgz
- 01:43 sh install.sh
- 02:36 perl csftest.pl
- 02:54 vim /etc/csf/csf.conf
- 04:04 csf -a 192.168.6.135
- 04:25 vim /etc/csf/csf.allow
- 04:50 csf -d 192.168.6.136
- 05:11 vim /etc/csf/csf.deny
- 05:47 csf -ar 192.168.6.135
- 06:00 csf -dr 192.168.6.136
To Install and Configure CSF on Oracle Linux 8.5
Introduction:
ConfigServer Firewall (CSF) is an advanced firewall suite for Linux systems that enhances the security on your Server. It also has the Login Failure Daemon (LFD) process that regularly scans for failed login attempts on your Server and takes action against the offending IP Addresses.
Installation Steps:
Step1: Check the Version of Oracle Linux by using the below command
[root@linuxhelp linuxhelp]# cat /etc/os-release
NAME="Oracle Linux Server"
VERSION="8.5"
ID="ol"
Step 2: To Install the CSF Dependencies use the below command
[root@linuxhelp ~]# yum install perl-libwww-perl.noarch perl-Time-HiRes
Install 23 Packages
….
Total download size: 1.3 M
Installed size: 2.7 M
Is this ok [y/N]: y
Downloading Packages:
Total 2.0 MB/s
Installed:
perl-Compress-Raw-Bzip2-2.081-1.el8.x86_64 perl-Compress-Raw-Zlib-2.081-1.el8.x86_64 perl-Data-Dump-1.23-7.module+el8.3.0+7692+542c56f9.noarch
perl-Digest-HMAC-1.03-17.module+el8.3.0+7692+542c56f9.noarch perl-Digest-SHA-1:6.02-1.el8.x86_64 perl-Encode-Locale-1.05-10.module+el8.3.0+7692+542c56f9.noarch
perl-File-Listing-6.04-17.module+el8.3.0+7692+542c56f9.noarch perl-HTML-Parser-3.72-15.module+el8.3.0+7692+542c56f9.x86_64 perl-HTML-Tagset-3.20-34.module+el8.3.0+7692+542c56f9.noarch
Complete!
Step 3: Download the CSF Package by using the below command
[root@linuxhelp ~]# wget https://download.configserver.com/csf.tgz
--2022-06-10 01:51:54-- https://download.configserver.com/csf.tgz
Resolving download.configserver.com (download.configserver.com)... 94.130.90.175
Connecting to download.configserver.com (download.configserver.com)|94.130.90.175|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2283608 (2.2M) [application/x-gzip]
Saving to: ‘csf.tgz’
csf.tgz 100%[=================================================>] 2.18M 2.22MB/s in 1.0s
2022-06-10 01:51:56 (2.22 MB/s) - ‘csf.tgz’ saved [2283608/2283608]
Step 4: Extract the Downloaded Package by using the below command
[root@linuxhelp ~]# tar -xvf csf.tgz
csf/uninstall.cwp.sh
csf/upgrade.txt
csf/usertracking.txt
csf/version.txt
csf/watchalert.txt
csf/webminalert.txt
csf/x-arf.txt
Step 5: List the Extracted Directory by using the below command
[root@linuxhelp ~]# ls
anaconda-ks.cfg csf csf.tgz initial-setup-ks.cfg
Step 6: Change Directory to CSF by using the below command
[root@linuxhelp ~]# cd csf
Step 7 : Now install the CSF using shell script by using the below command
[root@linuxhelp csf]# sh install.sh
'csf.service' -> '/usr/lib/systemd/system/csf.service'
Created symlink /etc/systemd/system/multi-user.target.wants/csf.service → /usr/lib/systemd/system/csf.service.
Created symlink /etc/systemd/system/multi-user.target.wants/lfd.service → /usr/lib/systemd/system/lfd.service.
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
Created symlink /etc/systemd/system/firewalld.service → /dev/null.
'/etc/csf/csfwebmin.tgz' -> '/usr/local/csf/csfwebmin.tgz'
Installation Completed
Step 8: Disable and Stop Firewall by using the below command
[root@linuxhelp csf]# systemctl disable firewalld
Unit /etc/systemd/system/firewalld.service is masked, ignoring.
[root@linuxhelp csf]# systemctl stop firewalld
Step 9: Change directory to this location by using the below command
[root@linuxhelp csf]# cd /usr/local/csf/bin
Step 10: Run the command to check Whether the CSF working or not by using the below command
[root@linuxhelp bin]# perl csftest.pl
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK
RESULT: csf should function on this server
Step 11: Change the Testing =1 to Testing =0 by using the below command
[root@linuxhelp bin]# vim /etc/csf/csf.conf
#Testing flag - enables a CRON job that clears iptables incase of
#configuration problems when you start csf. This should be enabled until you
#are sure that the firewall works - i.e. incase you get locked out of your
#server! Then do remember to set it to 0 and restart csf when you're sure
#everything is OK. Stopping csf will remove the line from /etc/crontab
#lfd will not start while this is enabled
TESTING = "0"
Step 12: Enable and Start both csf and lfd services by using the below command
[root@linuxhelp bin]# systemctl enable csf lfd
[root@linuxhelp bin]# systemctl start csf lfd
Step 13 : Start the CSF by using the below command
[root@linuxhelp bin]# csf –s
LOCALINPUT all opt in !lo out * ::/0 -> ::/0
*WARNING* Binary location for [SENDMAIL] [/usr/sbin/sendmail] in /etc/csf/csf.conf is either incorrect, is not installed or is not executable
*WARNING* Missing or incorrect binary locations will break csf and lfd functionality
*WARNING* RESTRICT_SYSLOG is disabled. See SECURITY WARNING in /etc/csf/csf.conf.
Step 14: Allow the IP by using the below command
[root@linuxhelp bin]# csf -a 192.168.6.135
Adding 192.168.6.135 to csf.allow and iptables ACCEPT...
ACCEPT all opt -- in !lo out * 192.168.6.135 -> 0.0.0.0/0
ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.6.135
Step 15: Check the Allowed IP List by using the below command
[root@linuxhelp bin]# vim /etc/csf/csf.allow
#The following IP addresses will be allowed through iptables.
#One IP address per line.
Only list IP addresses, not domain names (they will be ignored)
192.168.6.135 # Manually allowed: 192.168.6.135 (-) - Fri Jun 10 01:57:49 2022
Step 16 : Deny the IP by using the below command
[root@linuxhelp bin]# csf -d 192.168.6.136
Adding 192.168.6.136 to csf.deny and iptables DROP...
DROP all opt -- in !lo out * 192.168.6.136 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.6.136
Step 17: Check the Denied IP List by using the below command
[root@linuxhelp bin]# vim /etc/csf/csf.deny
#The following IP addresses will be blocked in iptables
#One IP address per line
#Only list IP addresses, not domain names (they will be ignored)
192.168.6.136 # Manually denied: 192.168.6.136 (-) - Fri Jun 10 03:00:23 2022
Step 18 : Remove the rule for allowed and denied IP by using the below command
[root@linuxhelp bin]# csf -ar 192.168.6.135
Removing rule...
ACCEPT all opt -- in !lo out * 192.168.6.135 -> 0.0.0.0/0
ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.6.135
** [root@linuxhelp bin]# csf -dr 192.168.6.136**
Removing rule...
DROP all opt -- in !lo out * 192.168.6.136 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.6.136
Step 19: Restart CSF by using the below command
[root@linuxhelp bin]# csf –r
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
LOCALOUTPUT all opt in * out !lo ::/0 -> ::/0
LOCALINPUT all opt in !lo out * ::/0 -> ::/0
*WARNING* Binary location for [SENDMAIL] [/usr/sbin/sendmail] in /etc/csf/csf.conf is either incorrect, is not installed or is not executable
*WARNING* Missing or incorrect binary locations will break csf and lfd functionality
*WARNING* RESTRICT_SYSLOG is disabled. See SECURITY WARNING in /etc/csf/csf.conf.
Conclusion:
We have reached the end of this article. In this guide, we have walked you through the steps required to Install and Configure CSF on Oracle Linux 8.5. Your feedback is much welcome.
Comments ( 0 )
No comments available