This tutorial is designed to guide you with a step-by-step process for installing CSF on AlmaLinux, ensuring that your system is fortified against potential threats. Every system administrator holds the critical responsibility of safeguarding their server against the potential threats and vulnerabilities. ConfigServer Security & Firewall (CSF) is a powerful solution designed to strengthen your server\u2019s security and provide enhanced protection against various types of attacks.<\/p>\n\n\n\n
Requirements:<\/strong><\/p>\n\n\n\n Before installing the CSF, you need to update the system packages to the latest version available. <\/p>\n\n\n\n These are required packages to install on your system. <\/p>\n\n\n\n Once they are installed, proceed to download the CSF archive from the official source. Navigate to the \/usr\/src directory to keep things organized.<\/p>\n\n\n\n After downloading, extract the contents of the archive to access the CSF installation files. <\/p>\n\n\n\n Then, switch to the extracted CSF directory and run the installation script to begin the setup.<\/p>\n\n\n\n If the installation is successful, you\u2019ll see a confirmation message indicating that CSF has been installed correctly.<\/p>\n\n\n\n Don’t forget to:<\/p>\n\n\n\n Adding current SSH session IP address to the csf whitelist in csf.allow:<\/p>\n\n\n\n Installation Completed<\/p>\n\n\n\n You can see the first reminder message, conveying the CSF is not properly configured. Before the configuration, we check if the required iptables modules are installed. Execute the command below:<\/p>\n\n\n\n If done properly, here is the expected output: <\/p>\n\n\n\n So far, we have just downloaded and installed the CSF. After that, we confirmed that iptables modules are loaded. Next, you have to start and enable the CSF service. <\/p>\n\n\n\n In the previous step, we downloaded and installed the CSF. After that, we confirmed that the iptables modules are loaded. Next is to start and enable the CSF service.<\/p>\n\n\n\n Execute the following command to start and enable CSF. <\/p>\n\n\n\n To check the status of the CSF service:<\/p>\n\n\n\n You should receive the following output:<\/p>\n\n\n\n After the installation process, here is the following output your received.<\/p>\n\n\n\n First add the following ports for TCP in \/etc\/csf.conf<\/p>\n\n\n\n # Allow incoming TCP ports<\/p>\n\n\n\n # Allow outgoing TCP ports<\/p>\n\n\n\n Next, set Testing to 0<\/p>\n\n\n\n # lfd will not start while this is enabled<\/p>\n\n\n\n Last but not least, start the LDF service and restart the CSF for the changes to take effect.<\/p>\n\n\n\n You should receive the following output:<\/p>\n\n\n\n Follow some of these basic commands to enable and disable the CSF. Also, we have mentioned commands for other functionalities. <\/p>\n\n\n\n The current list of temporary allow and deny IP entries with their TTLs and comments is displayed<\/p>\n\n\n\n Configuring and installing the CSF (ConfigServer Security & Firewall) on AlmaLinux significantly enhances the server\u2019s security. It provides a comprehensive and customizable firewall solution. Different features like login tracking, port blocking, and intrusion detection, CSF helps administrators monitor and control server access effectively. This tutorial helps in setting up and installing CSF and securing the server.<\/p>\n Once CSF is up and running, it\u2019s crucial to regularly update its rules and monitor logs to stay ahead of potential vulnerabilities. While CSF is powerful out of the box, taking the time to fine-tune its settings to suit your server\u2019s needs can offer even greater protection and performance.<\/p>\n<\/div><\/div>\n","protected":false},"excerpt":{"rendered":" This tutorial is designed to guide you with a step-by-step process for installing CSF on AlmaLinux, ensuring that your system is fortified against potential threats. Every system administrator holds the critical responsibility of safeguarding their server against the potential threats and vulnerabilities. ConfigServer Security & Firewall (CSF) is a powerful solution designed to strengthen your […]<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[41],"tags":[],"class_list":["post-19528","post","type-post","status-publish","format-standard","placeholder-for-hentry","category-howtos"],"yoast_head":"\n\n
Steps to Install and Configure CSF on AlmaLinux<\/h2>\n\n\n\n
Step 1. Update the System<\/h3>\n\n\n\n
sudo dnf update -y && sudo dnf upgrade -y<\/code><\/pre>\n\n\n\nStep 2: Download and Install CSF<\/h3>\n\n\n\n
sudo dnf install epel-release -y\n\nsudo dnf install iptables perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch perl-GDGraph wget tar perl-Math-BigInt -y<\/code><\/pre>\n\n\n\ncd \/usr\/src\u00a0\n\nwget https:\/\/download.configserver.com\/csf.tgz<\/code><\/pre>\n\n\n\ntar zxvf csf.tgz<\/code><\/pre>\n\n\n\ncd csf\/\n\nsh install.sh<\/code><\/pre>\n\n\n\n\n
Can't locate lib.pm in @INC (you may need to install the lib module) (@INC contains: \/usr\/local\/lib64\/perl5\/5.32 \/usr\/local\/share\/perl5\/5.32 \/usr\/lib64\/perl5\/vendor_perl \/usr\/share\/perl5\/vendor_perl \/usr\/lib64\/perl5 \/usr\/share\/perl5) at \/usr\/sbin\/csf line 10.\n\nBEGIN failed--compilation aborted at \/usr\/sbin\/csf line 10.\n\n'lfd.service' -> '\/usr\/lib\/systemd\/system\/lfd.service'\n\n'csf.service' -> '\/usr\/lib\/systemd\/system\/csf.service'\n\nCreated symlink \/etc\/systemd\/system\/multi-user.target.wants\/csf.service \u2192 \/usr\/lib\/systemd\/system\/csf.service.\n\nCreated symlink \/etc\/systemd\/system\/multi-user.target.wants\/lfd.service \u2192 \/usr\/lib\/systemd\/system\/lfd.service.\n\nRemoved \/etc\/systemd\/system\/dbus-org.fedoraproject.FirewallD1.service.\n\nRemoved \/etc\/systemd\/system\/multi-user.target.wants\/firewalld.service.\n\nCreated symlink \/etc\/systemd\/system\/firewalld.service \u2192 \/dev\/null.\n\n'\/etc\/csf\/csfwebmin.tgz' -> '\/usr\/local\/csf\/csfwebmin.tgz'<\/code><\/pre>\n\n\n\nsudo perl \/usr\/local\/csf\/bin\/csftest.pl<\/code><\/pre>\n\n\n\n[root@host csf]# sudo perl \/usr\/local\/csf\/bin\/csftest.pl\n\nTesting ip_tables\/iptable_filter...OK\n\nTesting ipt_LOG...OK\n\nTesting ipt_multiport\/xt_multiport...OK\n\nTesting ipt_REJECT...OK\n\nTesting ipt_state\/xt_state...OK\n\nTesting ipt_limit\/xt_limit...OK\n\nTesting ipt_recent...OK\n\nTesting xt_connlimit...OK\n\nTesting ipt_owner\/xt_owner...OK\n\nTesting iptable_nat\/ipt_REDIRECT...OK\n\nTesting iptable_nat\/ipt_DNAT...OK\n\nRESULT: csf should function on this server<\/code><\/pre>\n\n\n\nStep 3. Manage the CSF Service<\/h3>\n\n\n\n
sudo systemctl start csf.service && sudo systemctl enable csf.service<\/code><\/pre>\n\n\n\nsudo systemctl status csf.service<\/code><\/pre>\n\n\n\n[root@host csf]# sudo systemctl status csf<\/code><\/pre>\n\n\n\ncsf.service - ConfigServer Firewall & Security - csf\n\n\u00a0\u00a0\u00a0Loaded: loaded (\/usr\/lib\/systemd\/system\/csf.service; enabled; vendor preset: disabled)\n\n\u00a0\u00a0\u00a0Active: active (exited) since Mon 2022-08-08 17:13:49 EDT; 5s ago\n\n\u00a0Main PID: 6595 (code=exited, status=0\/SUCCESS)\n\n\u00a0\u00a0\u00a0\u00a0Tasks: 0 (limit: 23666)\n\n\u00a0\u00a0\u00a0Memory: 0B\n\n\u00a0\u00a0\u00a0CGroup: \/system.slice\/csf.service\n\nAug 08 17:13:49 host.test.vps csf[6595]: csf: FASTSTART loading UDP_IN (IPv4)\n\nAug 08 17:13:49 host.test.vps csf[6595]: csf: FASTSTART loading UDP_OUT (IPv4)\n\nAug 08 17:13:49 host.test.vps csf[6595]: ACCEPT\u00a0 all opt -- in lo out *\u00a0 0.0.0.0\/0\u00a0 -> 0.0.0.0\/0\n\nAug 08 17:13:49 host.test.vps csf[6595]: ACCEPT\u00a0 all opt -- in * out lo\u00a0 0.0.0.0\/0\u00a0 -> 0.0.0.0\/0\n\nAug 08 17:13:49 host.test.vps csf[6595]: LOGDROPOUT\u00a0 all opt -- in * out !lo\u00a0 0.0.0.0\/0\u00a0 -> 0.0.0.0\/0\n\nAug 08 17:13:49 host.test.vps csf[6595]: LOGDROPIN\u00a0 all opt -- in !lo out *\u00a0 0.0.0.0\/0\u00a0 -> 0.0.0.0\/0\n\nAug 08 17:13:49 host.test.vps csf[6595]: csf: FASTSTART loading DNS (IPv4)\n\nAug 08 17:13:49 host.test.vps csf[6595]: LOCALOUTPUT\u00a0 all opt -- in * out !lo\u00a0 0.0.0.0\/0\u00a0 -> 0.0.0.0\/0\n\nAug 08 17:13:49 host.test.vps csf[6595]: LOCALINPUT\u00a0 all opt -- in !lo out *\u00a0 0.0.0.0\/0\u00a0 -> 0.0.0.0\/0\n\nAug 08 17:13:49 host.test.vps systemd[1]: Started ConfigServer Firewall & Security - csf.<\/code><\/pre>\n\n\n\nStep 4. Configuring CSF<\/h3>\n\n\n\n
\n
TCP_IN = \"20,21,22,25,53,80,110,143,443,465,587,993,995\"<\/code><\/pre>\n\n\n\nTCP_OUT = \"20,21,22,25,53,80,110,113,443,587,993,995\"<\/code><\/pre>\n\n\n\nTESTING = \"0\"<\/code><\/pre>\n\n\n\nsudo systemctl start lfd.service\n\nsudo systemctl restart csf.service\n\nCheck the status of the lfd service\n\nsudo systemctl status lfd.service<\/code><\/pre>\n\n\n\n[root@host csf]# systemctl status lfd\n\nlfd.service - ConfigServer Firewall & Security - lfd\n\n\u00a0\u00a0\u00a0Loaded: loaded (\/usr\/lib\/systemd\/system\/lfd.service; enabled; vendor preset: disabled)\n\n\u00a0\u00a0\u00a0Active: active (running) since Mon 2022-08-08 17:31:26 EDT; 13s ago\n\n\u00a0\u00a0Process: 6961 ExecStart=\/usr\/sbin\/lfd (code=exited, status=0\/SUCCESS)\n\n\u00a0Main PID: 6970 (lfd - sleeping)\n\n\u00a0\u00a0\u00a0\u00a0Tasks: 1 (limit: 23666)\n\n\u00a0\u00a0\u00a0Memory: 124.2M\n\n\u00a0\u00a0\u00a0CGroup: \/system.slice\/lfd.service\n\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u2514\u25006970 lfd - sleeping<\/code><\/pre>\n\n\n\nStep 5. Basic CSF commands<\/h3>\n\n\n\n
Enable CSF\n\ncsf -e\n\nWhitelist IP address in CSF\n\ncsf -a 192.168.1.1\n\nBlock IP address in CSF\n\ncsf -d 192.168.1.2<\/code><\/pre>\n\n\n\ncsf -t\n\nRestart CSF\n\ncsf -r\n\nDisable CSF\n\ncsf \u2013x<\/code><\/pre>\n\n\n\n