In this article, we are going to go over the basics of CSF Firewall, what it is, which platforms it runs on, and some basics about installing it.
We have tailored this information to new Linux system administrators or hobbyists who want to understand the basics of CSF Firewall, written out in plain English.
Linux: The Technical Environment We Are Working In
First of all, as we have already hinted at, if you want to run CSF Firewall, you need to be running a Linux server - not Windows or anything else.
Linux, as you probably already know if you are reading this, is an open source operating system based off of UNIX. (Linux is officially pronounced lee-nux (or a softer i as in “in”) and not like the name Linus van Pelt from Peanuts.)
CSF Firewall will run on the following Linux operating systems, and most likely newer versions as well:
For these versions of Linux, you may need to customize some of the regex patterns used in functions.
CSF Firewall can also work on the following virtual servers:
Both Virtuozzo and OpenVZ need the iptables to be configured correctly on the host server.
An Overview of CSF Firewall
CSF Firewall stands for ConfigServer Security & Firewall. It is a free Linux firewall provided by a UK company called Way to the Web Limited (trading as ConfigServer Services).
A firewall, as you probably already know, is a type of software that protects a computer or server from unauthorized intrusions and hacker attacks.
CSF Firewall has been around for a long time and has been considered for years a highly advanced firewall that is still simple enough for less experienced Linux system administrators. It has a ton of configurable options, but you don’t have to worry about all of them when getting started.
It is an alternative to other firewall options on Linux, such as APF Firewall.
You can install CSF Firewall on your Linux server and even use it on a VPS (Virtual Private Server).
Features of CSF Firewall
CSF Firewall has a lot of great features and has configuration options for both simple installations and more complex needs. Here are just three of the many features of this free firewall software:
1. Login Authentication Failures
CSF Firewall will monitor your logins for repeated attempts to login. If too many login failures are recorded (which can indicate a hacking attempt), the software can automatically ban that IP address from accessing the server.
This feature works with mail servers, FTP servers, openSSH, administrative panels such as cPanel and WHM, websites protected by htpasswd files, and more.
2. Messenger Service
When an IP address is blocked, you can have CSF Firewall send a message to the client. This might provide additional information to a hacker, however, for a real user who might be stumped and frustrated by failed login attempts, it can be very helpful.
3. Port Flood Protection
The last thing you want is a Denial of Service (DOS) attack on your server. This will hang up your website and make it impossible to reach. CSF Firewall has configurable port flooding protection that can limit how many connections can be allowed within a certain time period.
Installing CSF Firewall
How you install CSF Firewall will depend on what version of Linux you are running and other variables about your server environment. For the best advice on how to install CSF Firewall for your particular configuration, you should probably search “CSF Firewall installation on [Your Linux Version].”
Avoiding Conflicts with other Firewall Software
Make sure, if you want to run CSF Firewall on your machine, that you have uninstalled any other firewall software, as it could cause conflicts and generate problems. You would use your Linux package installer to remove existing firewall software, unless it was source installed.
On Linux versions such as CentOS, the package installer would be Yum. On Ubuntu and other versions, you may be using APT (Advanced Packaging Tool). These removal commands will differ based on the package installer, but can easily be found using an online search.
For example, if you want to remove APF Firewall version 9.6 from CentOS using Yum, you would use the command (as root):
rpm -e apf-9.6_5-1
With apt, the command might be:
apt remove apf-9.6_5-1
Or, if you are on Ubuntu and not logging in directly as root:
sudo apt remove apf-9.6_5-1
Remember, you would use the version number of the APF installation on your server, not necessarily the one shown here.
CSF Firewall Installation Instructions
If CSF Firewall is found in your package repositories, using the same package installer, you can download and install CSF Firewall that way.
If you are using the Synaptic package installer, which has an easy to use graphical interface, this might be the easiest route. Synaptic will install all the dependencies for you, making the process much quicker and easier.
Unfortunately, CSF Firewall is not included in many repositories, so you may need to download it manually. It is possible it might be available in some alternative repositories, in which case, you can add the repository to your package installer.
Alternatively, see below about Centmin Mod installation.
You will need to make sure Perl is installed on your machine, and if it isn’t, Perl must be installed first.
Assuming you have Perl installed, here are some simple commands to manually download and install CSF Firewall. These commands will work whether your server uses Apt or Yum:
# wget https://download.configserver.com/csf.tgz
# tar xfz csf.tgz
# cd csf
# sh install.sh
Make sure you are logged in as root, or, if using Ubuntu, prepend “sudo” in front of every command. (The pound sign above is indicative of a root prompt, and is not part of the command itself.)
Configuring CSF Firewall
Once you have installed the CSF Firewall software, you will need to configure it. There are many web pages with basic configuration information found easily through a search, such as this “how to” with basic command line instructions.
LAMP vs. LEMP Linux Installations
For those who are more familiar with a traditional LAMP stack CSF Firewall works with LEMP.
If you want to experiment with running LEMP, or you don’t know what LEMPvs. LAMP is, we will cover that here.
LAMP stacks are common set ups for website servers and are used across the Internet by companies big and small.
LAMP stands for Linux, Apache, MySQL, and PHP. Linux is the operating system, Apache is the web server, MySQL is the database server, and PHP is the scripted programming language that delivers the web sites.
LEMP is pretty much exactly like LAMP, only it uses the nginx web server. Nginx is pronounced “engine-x.” Thus, we have an E in LEMP instead of the A for Apache.
Apache was around first and is a reputable web server, but has some limitations or at least stresses that are put on it at high loads. Nginx was specifically designed to address some of these problems that the Apache web server has.
Nginx has a smaller memory footprint and leverages asynchronous event-driven requests to improve performance at times of high web traffic.
If you are setting up a new Linux web server from scratch, and trying to decide between LAMP and LEMP, you might want to go with LEMP. Besides the potential performance boosting benefits, you can use CSF Firewall with Centmin Mod (you also have to run CentOS).
CSF Firewall on Centmin Mod
If you are looking for an easy way to set up a new Linux server for the web, using CSF Firewall as well as a LEMP stack, here is a great option for you: Centmin Mod.
Centmin Mod is a LEMP stack that comes with an auto installer run through the command line.
It is designed for CentOS 6.x and CentOS 7.x (both flavors of Linux). It automatically installs and configures:
You also get other features, including third party YUM repositories and a variety of add-ons to Nginx.
For more information on how to install and use CSF Firewall with CentOS, check out the Centmin Mod website.
CSF Firewall is an excellent system designed to prevent hacking attempts from succeeding. By using this software, you can help prevent hackers from hijacking and destroying your web server.
With lots of options, CSF Firewall is good for both novice and experienced system administrators. Best of all, it is free!