Knowledgebase Home / Install CSF (ConfigServer Security & Firewall) via SSH on CentOS 7

Install CSF (ConfigServer Security & Firewall) via SSH on CentOS 7


In this guide we’ll explain how to install CSF on your CentOS 7 VPS.

All commands – without sudo.

systemctl disable firewalld
systemctl stop firewalld
yum clean all
yum -y update
yum -y install wget perl ipset unzip net-tools perl-libwww-perl
yum -y install perl-LWP-Protocol-https perl-GDGraph bind-utils
cd /opt
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
rm -rf /opt/csf
rm -rf /opt/csf.tgz
cd ~
systemctl enable csf
systemctl enable lfd
service csf start
service lfd start

All commands – with sudo.

sudo systemctl disable firewalld
sudo systemctl stop firewalld
sudo yum clean all
sudo yum -y update
sudo yum -y install wget perl ipset unzip net-tools perl-libwww-perl
sudo yum -y install perl-LWP-Protocol-https perl-GDGraph bind-utils
sudo cd /opt
sudo wget https://download.configserver.com/csf.tgz
sudo tar -xzf csf.tgz
sudo cd csf
sudo sh install.sh
sudo rm -rf /opt/csf
sudo rm -rf /opt/csf.tgz
cd ~
sudo systemctl enable csf
sudo systemctl enable lfd
sudo service csf start
sudo service lfd start

CSF is a firewall based on iptables rules which protects and secures your server. The different threats from which CSF would protect your server includes brute force attacks, email relays, port scanning and many more. CSF configures the firewall to restrict access to your services and allows only connections you specify. It includes the the ability to enable publicly maintained blocklists which block known malicious IP’s and automatically update these blocklists at specified time intervals.

CSF can be installed on servers with or without cPanel. When installed on cPanel servers a GUI can be used for managing CSF with great ease and is included in the WHM panel.

Prerequisites

  • A CentOS 7 VPS server
  • Root access to the server
  • An SSH client

After meeting the requirements you can follow the below steps to install and configure CSF in your server.

Install CSF

The first step is to disable and turn off existing firewall since this will cause conflicts. firewalld and iptables are pre-installed on CentOS 7.

systemctl disable firewalld
systemctl stop firewalld

Clean yum cache packages and headers. After that update yum packages.

yum clean all
yum -y update

CSF and LFD needs the perl module, unzip and a few more utility packages to  function properly. 

yum -y install wget perl ipset unzip net-tools perl-libwww-perl
yum -y install perl-LWP-Protocol-https perl-GDGraph bind-utils

Now CSF can be downloaded, extracted and installed using the following steps. First, change the directory to /opt. This directory will be using as download location for the rest of installation.

cd /opt

Download the source file using the below command

wget https://download.configserver.com/csf.tgz

Now decompress the downloaded file using TAR command.

tar -xzf csf.tgz

Install CSF using the following commands.

cd csf
sh install.sh

After completing the installation, it is a good practice to remove the downloaded files. You can use the below commands to remove the files.

rm -rf /opt/csf
rm -rf /opt/csf.tgz

Change directory back to the home directory

cd ~

Configuring CSF

Go to the csf configuration directory and open csf.conf using vim.

cd /etc/csf
vim csf.conf

Change TESTING to 0 for applying firewall configuration.

TESTING="0"

By default, CSF allows incoming and outgoing traffic for SSH on port 22. You should change this to another port in the dynamic port range from 49152 – 65535 as a best practice for security. To do this, add the port to the configuration file in line “TCP_IN” and “TCP6_IN”.

NOTE: Port changes need to be made for both IPv4 and IPv6 addresses unless you intend to disable IPv6.

Example:
# Allow incoming TCP ports
TCP_IN = "62314"

# Allow incoming IPv6 TCP ports
TCP6_IN = "62314"

Start CSF and LFD with systemctl command.

systemctl start csf
systemctl start lfd

And then enable CSF and LFD to start on boot.

systemctl enable csf
systemctl enable lfd

Conclusion

Now, you will be able to use CSF as a firewall and intrusion/login failure detection system to secure your server.

We'd love to hear your thoughts. How can we make this better?


If the steps above listed in this article do not resolve your issue, please feel free to open a support ticket and we’d be happy to take a look.

Looking for better web hosting? Sign up today and take 50% off your first month with promo code: 1stmonth50

Our Guiding Principles

  • Provide consistent, stable and reliable web hosting services.
  • Ensure rapid ticket response and quick resolutions to issues.
  • Never saturate or over-provision servers to ensure stability and speed for our customers.
  • Use only high quality enterprise-class hardware to ensure minimal downtime from hardware failures.
  • Provide clear pricing with no hidden fees or gotchas.