ConfigServer Security & Firewall (CSF) Installation and Configuration Guide

This guide provides step-by-step instructions for installing and configuring ConfigServer Security & Firewall (CSF) on a server.

• Introduction :
  • 1. CSF Installation
  • 2. CSF Configuration
  • 3. CSF Configuration Script

Introduction:

ConfigServer Security & Firewall (CSF) is a Stateful Packet Inspection (SPI) firewall, login/intrusion detection, and security application for Linux servers provided by ConfigServer. Login Failure Daemon (LFD) is a daemon process that runs on our servers, which uses CSF for server security.

1. CSF Installation

On Debian-based Systems

Update package lists and install required dependencies

sudo apt-get update
sudo apt-get install -y wget perl libwww-perl liblwp-protocol-https-perl sendmail iptables

On RHEL-based Systems

Update package lists and install required dependencies

sudo yum update -y
sudo yum install -y wget perl perl-libwww-perl bind-utils sendmail iptables

Download and install CSF

wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sudo sh install.sh

2. CSF Configuration

Open the CSF configuration file:

sudo nano /etc/csf/csf.conf

Modify the following settings in the configuration file:

• Testing Mode: Set TESTING to “0” to enable the firewall.

TESTING = "0"

• Restrict Syslog: Set RESTRICT_SYSLOG to 3.

RESTRICT_SYSLOG = "3"

• Allow Incoming Connections: Configure TCP_IN to allow connections on necessary ports.

TCP_IN = "20,21,22,25,53,853,80,110,143,443,465,587,993,995,30030,10000,1515,1514,10050"

• Allow Outgoing Connections: Configure TCP_OUT to allow connections on necessary ports.

TCP_OUT = "20,21,22,25,53,853,80,110,113,443,587,993,995,10000,1515,1514,10050"

• IPv6 Settings: Configure TCP6_IN and TCP6_OUT if applicable.

TCP6_IN = "20,21,22,25,53,853,80,110,143,443,465,587,993,995,30030"
TCP6_OUT = "20,21,22,25,53,853,80,110,113,443,587,993,995"

• Allow Incoming UDP Connections: Configure UDP_IN.

UDP_IN = "20,21,53,853,80,443,10000,1515,1514"

• Allow Outgoing UDP Connections: Configure UDP_OUT.

UDP_OUT = "20,21,53,853,113,123,10000,1515,1514"

• IPv6 UDP Settings: Configure UDP6_IN and UDP6_OUT if applicable.

UDP6_IN = "20,21,53,853,80,443"
UDP6_OUT = "20,21,53,853,113,123"

Save and close the configuration file.

Allow IP Address

Open the CSF configuration file:

sudo nano /etc/csf/csf.allow

• Add the IP address you want to allow:

# 223.178.83.28

Deny IP Address

Open the CSF deny list file:

sudo nano /etc/csf/csf.deny

• Add the IP address you want to deny:

# 220.178.80.20

Restart CSF to apply changes:

sudo csf -r
sudo systemctl restart lfd

---

3. CSF Configuration Script

Use the following script to automate the CSF configuration:

create a new file named csf_configure.sh with the following command:

nano csf_configure.sh

Add the Script Content

#!/bin/bash

# Define IP addresses to allow and deny
# Example ("127.0.0.1" "192.168.1.1")
ALLOWED_IPS=() 
DENIED_IPS=()

# Define the values to be set in the CSF configuration
TESTING="0"
RESTRICT_SYSLOG="3"
TCP_IN="20,21,22,25,53,853,80,110,143,443,465,587,993,995,30030,10000,1515,1514,10050"
TCP_OUT="20,21,22,25,53,853,80,110,113,443,587,993,995,10000,1515,1514,10050"
TCP6_IN="20,21,22,25,53,853,80,110,143,443,465,587,993,995,30030"
TCP6_OUT="20,21,22,25,53,853,80,110,113,443,587,993,995"
UDP_IN="20,21,53,853,80,443,10000,1515,1514"
UDP_OUT="20,21,53,853,113,123,10000,1515,1514"
UDP6_IN="20,21,53,853,80,443"
UDP6_OUT="20,21,53,853,113,123"

# Define the CSF configuration file paths
CSF_CONF="/etc/csf/csf.conf"
CSF_ALLOW="/etc/csf/csf.allow"
CSF_DENY="/etc/csf/csf.deny"

# Define the IP tables log file
IPTABLES_LOG="/var/log/iptables.log"

# Backup the original configuration files
echo "Backing up original configuration files..."
sudo cp $CSF_CONF "$CSF_CONF.bak"
sudo cp $CSF_ALLOW "$CSF_ALLOW.bak"
sudo cp $CSF_DENY "$CSF_DENY.bak"

# Log current IP tables configuration
echo "Logging current IP tables configuration..."
sudo iptables -L -n > $IPTABLES_LOG
echo "Current IP tables configuration logged to $IPTABLES_LOG"

# Comment out previous IP addresses
echo "Commenting out previous IP addresses..."
sudo sed -i 's/^\([^#].*\)/# \1/' $CSF_ALLOW
sudo sed -i 's/^\([^#].*\)/# \1/' $CSF_DENY

# Update CSF configuration
echo "Updating CSF configuration..."
update_config() {
    local key=$1
    local value=$2
    if sudo sed -i "s/^${key} =.*/${key} = \"$value\"/" $CSF_CONF; then
        echo "Updated ${key} successfully."
    else
        echo "Failed to update ${key}." >&2
        exit 1
    fi
}

update_config "TESTING" "$TESTING"
update_config "RESTRICT_SYSLOG" "$RESTRICT_SYSLOG"
update_config "TCP_IN" "$TCP_IN"
update_config "TCP_OUT" "$TCP_OUT"
update_config "TCP6_IN" "$TCP6_IN"
update_config "TCP6_OUT" "$TCP6_OUT"
update_config "UDP_IN" "$UDP_IN"
update_config "UDP_OUT" "$UDP_OUT"
update_config "UDP6_IN" "$UDP6_IN"
update_config "UDP6_OUT" "$UDP6_OUT"

# Add allowed IP addresses with timestamp and description
if [ ${#ALLOWED_IPS[@]} -gt 0 ]; then
    echo "Configuring allowed IP addresses..."
    for IP in "${ALLOWED_IPS[@]}"; do
        TIMESTAMP=$(date "+%a %b %d %H:%M:%S %Y")
        echo "$IP # Allowing IP $IP - $TIMESTAMP" | sudo tee -a $CSF_ALLOW > /dev/null
    done
else
    echo "No IP addresses to allow."
fi

# Add denied IP addresses with timestamp and description
if [ ${#DENIED_IPS[@]} -gt 0 ]; then
    echo "Configuring denied IP addresses..."
    for IP in "${DENIED_IPS[@]}"; do
        TIMESTAMP=$(date "+%a %b %d %H:%M:%S %Y")
        echo "$IP # Denying IP $IP - $TIMESTAMP" | sudo tee -a $CSF_DENY > /dev/null
    done
else
    echo "No IP addresses to deny."
fi

# Restart CSF and LFD to apply the changes
echo "Restarting CSF and LFD..."
sudo csf -r
sudo systemctl restart lfd
sudo systemctl restart csf

echo "CSF and LFD configuration completed and applied."

Save the file and exit.

Change the file permissions to make the script executable:

chmod +x csf_configure.sh

Run the script with root privileges to apply the configuration:

sudo ./csf_configure.sh