Blog

CSF — Protecting Your Server or VDS

CSF (ConfigServer Security & Firewall) is an essential tool for protecting your server from unauthorized access and maintaining security.

February 25, 2015

Dmytro

CSF server security firewall configuration Linux security system administration network protection server maintenance

CSF — Protecting Your Server or VDS

A brief backstory: one of the heavily loaded sites we manage experienced an issue due to an outdated content management system that was hacked. Fortunately, spam attempts were detected in time, and rootkits were identified. An investigation revealed that the infected machine was managed through non-standard TCP and UDP ports.

To resolve this, we revisited CSF (ConfigServer Security & Firewall), which consists of two main modules — lfd (Login Failure Daemon) and csf. The lfd monitors log files for brute-force attempts, while csf manages iptables for blocking ports and logging connection attempts.

By default, csf is installed in testing mode. Let’s explore how to install and configure csf initially. Official documentation is available at ConfigServer, but here’s a simplified version.

Installation

Download the package and run the installer:

wget -O - http://www.configserver.com/free/csf.tgz | tar xvzf -
cd csf
sh ./install.sh

Modern OSes typically include necessary modules, so no extra packages are usually required.

Starting CSF

Start csf with the default configuration:

service csf start

Configuration

The configuration files for csf are found in /etc/csf. Pay attention to the following settings:

csf.allow: Specify IP addresses for whitelist; these will not be blocked even during suspicious activities.
csf.deny: List IP addresses to be explicitly blocked here. To keep an address permanently blocked, add a comment like this:
```
1.2.3.4 # do not delete
```
csf.conf: This comprehensive configuration file is well-documented. Key parameters to note include:
- TCP_IN, TCP_OUT, UDP_IN, UDP_OUT: Lists of allowed ports for incoming and outgoing traffic, usually sufficient with defaults.
- TESTING: By default, testing mode is enabled. Disable this after configuration to enable lfd and automatic IP blocking.

To apply configuration changes, restart csf:

csf -r

Monitoring and Managing

With csf operational, monitor suspicious events in /var/log/messages. For manual IP blocking, use:

csf -d 1.2.3.4

To remove an IP from the blocked list, use:

csf -dr 1.2.3.4

For more examples and usage scenarios, refer to the official documentation.

In conclusion, while CSF is a robust tool, remember it does not replace regular updates for your OS and CMS. Stay vigilant with your resources and ensure backups are made.

Need Help?

Our support team is available 24/7 to assist you with any questions or issues.

Contact Support