How to install and use CSF on OpenSUSE leap 42.1

To Install and Use CSF on OpenSUSE leap 42.1

Config Server Firewall is abbreviated as CSF. CSf is the most commonly using firewall application to secure Linux servers. CSF has wide range of options to manage Linux firewall via comman-line and from the control panel. The csf installation includes preconfigured configurations and control panel UI’s for cPanel, DirectAdmin and Webmin.This article covers the method to install CSF on OpenSUSE leap 42.1. 

 

Installing CSF

Before you begin with the process, you need to move to the directory where you want to download the package. Run the following command for the same purpose. 

linuxhelp:~ # cd /usr/src/

 

Next, downlaod CSF using wget command in the following manner. 

linuxhelp:/usr/src # wget https://download.configserver.com/csf.tgz
--2017-11-16 12:56:02--  https://download.configserver.com/csf.tgz
Resolving download.configserver.com (download.configserver.com)... 85.10.199.177
Connecting to download.configserver.com (download.configserver.com)|85.10.199.177|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1546204 (1.5M) [application/x-gzip]
Saving to: ‘csf.tgz’

100%[=================================================================================================>] 1,546,204   22.2KB/s   in 64s   
2017-11-16 12:57:07 (23.6 KB/s) - ‘csf.tgz’ saved [1546204/1546204]

 

After that, you need to extract the package by running the following command.

linuxhelp:/usr/src # tar -xzf csf.tgz

 


Then, move inside the extracted directory by making use of the following command. 

linuxhelp:/usr/src # cd csf/

 

Here, you can install CSF by executing the below mentioned command. 

linuxhelp:/usr/src/csf # sh install.sh
Selecting installer...

Running csf generic installer

Installing generic csf and lfd

Check we're running as root

Checking Perl modules...
Configuration modified for SuSE settings /etc/csf/csf.conf
...Perl modules OK

mkdir: created directory ‘/etc/csf’
.
.
.
.
‘csf/configserver.css’ -> ‘webmin/csf/images/configserver.css’
‘csf/csf-loader.gif’ -> ‘webmin/csf/images/csf-loader.gif’
‘csf/csf.svg’ -> ‘webmin/csf/images/csf.svg’
‘csf/csf_small.png’ -> ‘webmin/csf/images/csf_small.png’
‘csf/jquery.min.js’ -> ‘webmin/csf/images/jquery.min.js’
‘csf/loader.gif’ -> ‘webmin/csf/images/loader.gif’
‘/etc/csf/csfwebmin.tgz’ -> ‘/usr/local/csf/csfwebmin.tgz’

Installation Completed

 

After the installation, you shall check if you have the required iptables modules. And for that, you need to run the following command. 

linuxhelp:/usr/src/csf # perl /usr/local/csf/bin/csftest.pl
Testing ip_tables/iptable_filter...open3: exec of /sbin/iptables -I OUTPUT -p tcp --dport 9999 -j ACCEPT

 

CSF Configuration

We have installed the CSF in testing mode so it does not provide full protection of your server from attacks. For disabling the testing mode you should configure the CSF according to your requirement. So, open the configuration file. 

linuxhelp:/usr/src/csf #  vim /etc/csf/csf.conf

 

And change the testing mode by simply changing the variable of testing from TESTING = “1” to “TESTING=0”. 

# Allow incoming TCP ports

TCP_IN =”20,21,22,25,53,80,110,143,443,465,587,993,995”


# Allow outgoing TCP ports

TCP_OUT =”20,21,22,25,53,80,110,113,443”

# Allow incoming UDP ports

UDP_IN = “20,21,53”

# Allow incoming UDP ports

# to allow traceroute add 33434:33523 to the list

UDP_OUT =”20,21,53,113,123”

 

Later, you shall start your csf service and check its status. 

linuxhelp:/usr/src/csf # systemctl start csf
linuxhelp:/usr/src/csf # systemctl status csf
csf.service - ConfigServer Firewall & Security - csf
   Loaded: loaded (/usr/lib/systemd/system/csf.service; enabled)
   Active: active (exited) since Thu 2017-11-16 13:04:54 IST; 1s ago
  Process: 11434 ExecStart=/usr/sbin/csf --initup (code=exited, status=0/SUCCESS)
 Main PID: 11434 (code=exited, status=0/SUCCESS)

Nov 16 13:04:54 linuxhelp csf[11434]: ACCEPT  udp opt -- in !lo out *  8.8.4.4  -> 0.0.0.0/0   udp dpt:53
Nov 16 13:04:54 linuxhelp csf[11434]: ACCEPT  tcp opt -- in !lo out *  8.8.4.4  -> 0.0.0.0/0   tcp dpt:53
Nov 16 13:04:54 linuxhelp csf[11434]: ACCEPT  udp opt -- in * out !lo  0.0.0.0/0  -> 8.8.4.4   udp spt:53
Nov 16 13:04:54 linuxhelp csf[11434]: ACCEPT  tcp opt -- in * out !lo  0.0.0.0/0  -> 8.8.4.4   tcp spt:53
Nov 16 13:04:54 linuxhelp csf[11434]: ACCEPT  udp opt -- in * out !lo  0.0.0.0/0  -> 8.8.4.4   udp dpt:53
Nov 16 13:04:54 linuxhelp csf[11434]: ACCEPT  tcp opt -- in * out !lo  0.0.0.0/0  -> 8.8.4.4   tcp dpt:53
Nov 16 13:04:54 linuxhelp csf[11434]: LOCALOUTPUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0
Nov 16 13:04:54 linuxhelp csf[11434]: LOCALINPUT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
Nov 16 13:04:54 linuxhelp csf[11434]: *WARNING* TESTING mode is enabled - do not forget to disable it in the configuration
Nov 16 13:04:54 linuxhelp systemd[1]: Started ConfigServer Firewall & Security - csf.

 

Options in CSF

If you want to allow an IP, you shall run the -a option followed by the IP. 

linuxhelp:/usr/src/csf # csf -a 192.168.7.219

Adding 192.168.7.219 to csf.allow only while in TESTING mode (not iptables ACCEPT)

Next, open your csf.allow file

linuxhelp:/usr/src/csf # vim /etc/csf/csf.allow

You'll see the IP that was added. 

192.168.7.219 # Manually allowed: 192.168.7.219 (Unknown) - Thu Nov 16 13:06:58 2017

 

csf.allow

 

You shall remove that IP from your allow list by using the -ar option along with the IP. 

linuxhelp:/usr/src/csf # csf -ar 192.168.7.219
Removing rule...
iptables: Bad rule (does a matching rule exist in that chain?).
ACCEPT  all opt -- in !lo out *  192.168.7.219  -> 0.0.0.0/0 
iptables: Bad rule (does a matching rule exist in that chain?).
ACCEPT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.7.219 

 

You shall also check if it is removed. 

linuxhelp:/usr/src/csf # vim /etc/csf/csf.allow

 

csf.allow

 

If you want to deny the IP address, you shall simply use the -d option in the following manner. 

linuxhelp:/usr/src/csf # csf -d 192.168.7.219

Adding 192.168.7.219 to csf.deny and iptables DROP...

iptables: No chain/target/match by that name.

DROP  all opt -- in !lo out *  192.168.7.219  -> 0.0.0.0/0 

 

You can check if the denied IP is added in the csf.deny file. 

linuxhelp:/usr/src/csf # vim /etc/csf/csf.deny

192.168.7.219 # Manually denied: 192.168.7.219 (Unknown) - Thu Nov 16 13:11:24 2017

 

You can remove the denied IP from the csf.deny file by running the dr option. 

linuxhelp:/usr/src/csf # csf -dr 192.168.7.219

Removing rule...

DROP  all opt -- in !lo out *  192.168.7.219  -> 0.0.0.0/0  

LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.7.219 

You can check and see the csf.deny file. 

check

 

 

You can grep the IP address by running the -g option. 

linuxhelp:/usr/src/csf # csf -g 192.168.7.219


Chain            num   pkts bytes target     prot opt in     out     source               destination        


DENYIN           1        0     0 DROP       all  --  !lo    *       192.168.7.219        0.0.0.0/0


DENYOUT          1        0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            192.168.7.219


csf.deny: 192.168.7.219 # Manually denied: 192.168.7.219 (Unknown) - Thu Nov 16 13:11:24 2017

 

You can also completly disable csf by using the x option. 

linuxhelp:/usr/src/csf # csf -x

Flushing chain `INPUT'

Flushing chain `FORWARD'

Flushing chain `OUTPUT'

Flushing chain `PREROUTING'

Flushing chain `INPUT'

Flushing chain `OUTPUT'

Flushing chain `POSTROUTING'

csf and lfd have been disabled

 

You can enable the disabled CSF by using the -e option. 

linuxhelp:/usr/src/csf # csf -e

DROP  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   tcp dpt:23

DROP  udp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   udp dpt:23

DROP  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   tcp dpt:67

DROP  udp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   udp dpt:67

DROP  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   tcp dpt:68

DROP  udp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   udp dpt:68

DROP  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   tcp dpt:111

.

.

.

.

lfd.service - ConfigServer Firewall & Security - lfd

   Loaded: loaded (/usr/lib/systemd/system/lfd.service; enabled)

   Active: active (running) since Thu 2017-11-16 13:14:37 IST; 9ms ago

  Process: 11993 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)

 Main PID: 12001 (lfd - starting)

   CGroup: /system.slice/lfd.service

           └─12001 lfd - starting            


Nov 16 13:14:36 linuxhelp systemd[1]: Starting ConfigServer Firewall & Security - lfd...

Nov 16 13:14:37 linuxhelp systemd[1]: Started ConfigServer Firewall & Security - lfd.

csf and lfd have been enabled

 

If you want to check the IPv4 iptables configuration run the -l option. 

linuxhelp:/usr/src/csf # csf -l

Chain INPUT (policy DROP 0 packets, 0 bytes)

num   pkts bytes target     prot opt in     out     source               destination        

1        0     0 ACCEPT     tcp  --  !lo    *       8.8.4.4              0.0.0.0/0            tcp dpt:53

2        0     0 ACCEPT     udp  --  !lo    *       8.8.4.4              0.0.0.0/0            udp dpt:53

3        0     0 ACCEPT     tcp  --  !lo    *       8.8.4.4              0.0.0.0/0            tcp spt:53

4        0     0 ACCEPT     udp  --  !lo    *       8.8.4.4              0.0.0.0/0            udp spt:53



Chain PREROUTING (policy ACCEPT 7 packets, 697 bytes)

num   pkts bytes target     prot opt in     out     source               destination        


Chain INPUT (policy ACCEPT 3 packets, 234 bytes)

num   pkts bytes target     prot opt in     out     source               destination        


Chain OUTPUT (policy ACCEPT 8 packets, 519 bytes)

num   pkts bytes target     prot opt in     out     source               destination        


Chain POSTROUTING (policy ACCEPT 8 packets, 519 bytes)

num   pkts bytes target     prot opt in     out     source               destination  

 

You can start the csf service with the -s command. 

linuxhelp:/usr/src/csf # csf -s

Flushing chain `INPUT'

Flushing chain `FORWARD'

Flushing chain `OUTPUT'

Flushing chain `ALLOWIN'

Flushing chain `ALLOWOUT'

Flushing chain `DENYIN'

Flushing chain `DENYOUT'


ACCEPT  udp opt -- in * out !lo  0.0.0.0/0  -> 8.8.4.4   udp spt:53

ACCEPT  tcp opt -- in * out !lo  0.0.0.0/0  -> 8.8.4.4   tcp spt:53

ACCEPT  udp opt -- in * out !lo  0.0.0.0/0  -> 8.8.4.4   udp dpt:53

ACCEPT  tcp opt -- in * out !lo  0.0.0.0/0  -> 8.8.4.4   tcp dpt:53

LOCALOUTPUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0 

LOCALINPUT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0       

 

You shall restart the csf service by running the command with the -r option. 

linuxhelp:/usr/src/csf # csf -r
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
Flushing chain `DENYIN'
Flushing chain `DENYOUT'

ACCEPT  udp opt -- in * out !lo  0.0.0.0/0  -> 8.8.4.4   udp spt:53
ACCEPT  tcp opt -- in * out !lo  0.0.0.0/0  -> 8.8.4.4   tcp spt:53
ACCEPT  udp opt -- in * out !lo  0.0.0.0/0  -> 8.8.4.4   udp dpt:53
ACCEPT  tcp opt -- in * out !lo  0.0.0.0/0  -> 8.8.4.4   tcp dpt:53
LOCALOUTPUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0 
LOCALINPUT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0       

With this, the installation and usage of CSF comes to an end. 

 

 


Thank you! for using Linux Help.

You find this tutorial helpful? Share with your friends to keep it alive.
For more help topics browse our website www.linuxhelp.com
Be the first to comment, we value your suggestions. For further queries please comment below.

Tags: OpenSUSE - Leap CSF (ConfigServer Security & Firewall) – LFD (Login Failure Daemon)
user image Author :  Connor