How To Secure A Linux (CentOS) Server Using CSF (ConfigServer Security and Firewall) ?

What is Configserver Security and Firewall (CSF)

Configserver Security and Firewall is the most commonly used advanced firewall in Linux servers. It is used for Login/Intrusion detection, SSH login notification, Excessive connection blocking, Suspicious file reporting etc.

In this tutorial, we will go through the installation of CSF in Linux Server (CentOS) and also the basic and most important configuration options in CSF configuration.

Installing & Configuring CSF

CSF provides installaion script with which we can install the CSF package in a single execution of the script. We just have to download the installation script and install it.

Here are the steps for installing CSF:

#Change working directory to the desired installation directory

cd /usr/local/src

#Remove the existing package archive

rm -fv csf.tgz

#Download the package which contains the install script

wget https://download.configserver.com/csf.tgz

#Extract the archive

tar -xzf csf.tgz

#Change working directory to the CSF directory which contains the installation script

cd csf

#Execute the installation script

sh install.sh

This will install CSF in the server and you can allow/deny IPs, ports etc with ‘csf’ command. There are many other options as well and we will see that later as we progress.

To test if CSF will work in the server can be found by running,

perl /usr/local/csf/bin/csftest.pl

You can refer the screenshot given below to see the output if all the required IPtables modules are present in the server

Please note that you need to have perl installed in the server for executing this script and if it is not installed in the server you can install it by,

yum install perl

If there are any FATAL errors reported, this installation is not going to work, so you need to have the errors fixed.

Also make sure there are no other IPTABLES firewall configuration script installed. If you have installed APF + BFD previously, you can remove them by running the script given below.

sh /usr/local/csf/bin/remove_apf_bfd.sh

Now CSF is installed but by default CSF is installed in ‘Testing’ mode, to change this you need to make the following change in the CSF configuration file.

vi /etc/csf/csf.conf

Edit the calue as shown below.

TESTING = "0"

You can restart csf service with,

csf -r

Or,

/etc/init.d/csf restart

With this CSF will be active and running. We can now move to the basic security settings in CSF configuration file (/etc/csf/csf.conf).

Allowing TCP and UDP Incoming and Outgoing Ports

Since attackers often exploit the open ports in the server, it is advised to only keep the necessary ports open and denying access to all the the other ports. This can be done by allowing the necesary and commonly used TCP and UDP ports in the CSF configuration file. All the other ports will be closed and attempts to acess the unallowed ports will be blocked by CSF.

Below given is the section in the configuration file where you can allow the incoming and outgoing TCP and UDP ports.

# Allow incoming TCP ports

TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"

# Allow outgoing TCP ports

TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995"

# Allow incoming UDP ports

UDP_IN = "20,21,53"

# Allow outgoing UDP ports

UDP_OUT = "20,21,53,113,123"

Port Flood Protection

This is used to protect the server from port flood attacks, i.e, flooding the common ports with huge number of connections and thereby denying or hanging up the services listening to those ports.

With this option, we can set the maximum number of connections a port can connect to and the new connections after this limit will be blocked by the firewall. Syntax of PORTFLOOD field is as given below.

PORTFLOOD = “port;protocol;hit_count;interval_in_seconds”

You can add multiple ports separated by commas.

Here is an example for enabling port flood protection.

PORTFLOOD = “80;tcp;50;10”

This means that if the number of connections to port 80 exceeds 50 in ten seconds, all the new connections will be blocked.

Connection Limit Protection

This option allows us to set maximum number of concurrent connections to a particular open port in the server from a single IP. This is intended for protection from denial of service attacks like DoS.

Syntax:

CONNLIMIT = “port;limit”

We can set connection limits for multiple ports separated by comma. Here is an example:

CONNLIMIT = "80;10,21;2"

This means, the maximum concurrent connections to port 80 (HTTP) from a single IP is 10 and to port 21 (FTP) per IP is 2.

Connection Tracking

This option allows us to set maximum number of all connections from a single IP addresses to the server. If the total number of connections from thet IP address is greater than the set value then the offending IP address is blocked. This also provides protection against denial of service attacks like Dos attacks.

Here are the examples of CT options in the configuration.

CT_LIMIT = “100”

All IPs with more than 200 connections will be blocked.

CT_PERMANENT = “1”

IPs with excess connection limit will blocked permanenty

CT_BLOCK_TIME = “3600”

This is to set the time period of the IP block for excessive connection limit. Above setting will block th eIP with excess connections for 3600 seconds or 1 hour.