How to Install and Configure CSF on AlmaLinux 9
ConfigServer Security & Firewall (CSF): A Robust Firewall for Enhanced Linux Security
ConfigServer Security & Firewall (CSF) is a powerful firewall solution built on iptables, designed to offer comprehensive protection for Linux-based systems.
CSF comes with a variety of features, including IP and port blocking, as well as protection against Denial of Service (DoS) attacks. It also provides advanced security functionalities like rate limiting, connection tracking, and SSH login detection. Beyond its core firewall capabilities, CSF integrates tools to check system and file integrity, and monitor email activity and login attempts, ensuring a secure and well-protected environment for your server.
Step 1: Update Your System
Before starting the installation, ensure your system is up to date. Run the following commands:
sudo dnf update -y
sudo dnf install wget nano tar -y
Step 2: Disable firewalld
Disable the default firewalld service to prevent any conflicts with CSF:
sudo systemctl stop firewalld
sudo systemctl disable firewalld
Step 3: Install Perl Modules for CSF
CSF requires certain Perl modules. Install these dependencies:
bashCopysudo dnf install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch perl-GDGraph -y
If some modules are unavailable, install the EPEL repository first:
bashCopysudo dnf install epel-release
Then retry the Perl module installation.
Step 4: Download and Install CSF
CSF is not available in the default AlmaLinux repositories, so we need to manually download it:
bashCopycd /usr/src
wget https://download.configserver.com/csf.tgz
tar xzf csf.tgz
cd csf
sudo sh install.sh
Step 5: Test the CSF Installation
Verify that CSF is installed and functioning properly:
perl /usr/local/csf/bin/csftest.pl
You should see results indicating that CSF will function correctly on your system.
Step 6: Configure CSF
CSF is initially in TEST mode. To disable this and fully activate CSF, edit the configuration file:
sudo nano /etc/csf/csf.conf
Change the following lines:
- TESTING = “0” (to disable testing mode)
- RESTRICT_SYSLOG = “3” (restrict access to syslog)
Allow necessary ports by modifying the TCP_IN and TCP_OUT values for incoming and outgoing traffic:
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"
TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995"
After configuring, restart CSF and LFD (Login Failure Daemon):
sudo systemctl restart csf && sudo systemctl restart lfd
sudo systemctl enable csf && sudo systemctl enable lfd
Step 7: Enable CSF Web Interface (Optional)
To enable the CSF web interface (GUI), modify the configuration file again:
sudo nano /etc/csf/csf.conf
Set the following:
- UI = “1” (enable web UI)
- UI_PORT = “8888” (set port for the web UI)
- UI_USER and UI_PASS (set username and password)
Allow your IP to access the CSF UI:
echo "YOUR_PUBLIC_IP_ADDRESS" | sudo tee -a /etc/csf/ui/ui.allow
Restart CSF and LFD services:
sudo systemctl restart csf
sudo systemctl restart lfd
Step 8: Access the CSF Web Interface
To access the CSF web interface, open your browser and go to:
https://your-server-IP:8888
Log in with the username and password you set earlier.
Step 9: Manage CSF via Command Line
You can also manage CSF directly from the command line. Here are some useful commands:
- List rules:
sudo csf -l - Allow an IP:
sudo csf -a IP-address - Deny an IP:
sudo csf -d IP-address - Remove a blocked IP:
sudo csf -dr IP-address - Flush rules:
sudo csf -f - Disable CSF:
sudo csf -x
Step 10: Uninstall CSF
If you need to remove CSF, run the uninstall script:
sh /etc/csf/uninstall.sh
Conclusion
You’ve successfully installed and configured ConfigServer Security & Firewall (CSF) on AlmaLinux 9. This powerful firewall helps protect your server from a range of security threats. For additional help, check out the official CSF website for more advanced configuration options.