ConfigServer Security & Firewall (CSF) is an excellent, GUI-based way of managing a powerful, proactive firewall with additional at-a-glance server security diagnostics, a heap of automated tools, extensive configuration options and an alert system.
There's little point repeating the features list, which runs as long as your arm, so have a link instead:
How to install the CSF firewall
The only caveat to installation is that if you are running the APF firewall then you should disable that first, otherwise things can get messy. Disabling APF while evaluating CSF is simple enough:
For those with iptables, don't change anything. CSF's installation is intuitive so important ports don't get blocked during the transition. Follow this guide and you'll be fine.
Installation is a breeze. Assuming root, we need a dependency package, move to a download location, get the thing, unzip and install it:
We can test the installation too:
And should receive a result like this:
Run CSF as a control panel module
Using CSF as a Webmin module is a highly user-friendly option:
To install as a Webmin module, for example, click through the navigation:
On the module's panel check the radio box for From local file, type in /etc/csf/csfwebmin.tgz and click on Install Module. You'll receive confirmation. Now you'll have a new item in Webmin's menu so click that open:
System > ConfigServer Security & Firewall
Setting up ConfigServer's firewall
This can be done from the command line or using a control panel. From the terminal:
Or from within a CP click on the button Firewall Configuration. Either way, scroll down to the allowed ports section.
The bare essentials you need are TCP ports 80, 443 and an SSH port which by default would be 22. If you are using Webmin, its default port is 10000. Excepting your other requirements – say for email – delete the other ports that are enabled by default in both the TCP and UDP sections.
Finally, set the Testing variable to 0 to enable the firewall and save the page.
Error on stopping the firewall?
VPS machines may receive an error when stopping the firewall. Check:
If you see iptables LKM ip_tables missing so this firewall cannot function unless you enable MONOLITHIC_KERNEL in /etc/csf/csf.conf then open CSF's configuration file /etc/csf/csf.conf and search for MONOLITHIC_KERNEL = “0”. Change that to read:
… And restart the firewall:
Using CSF from the command line
Rather than use a panel it is quicker, if less user-friendly, to use CSF from the command line. Here are some handy commands:
- csf -h for the CSF manual
- csf -a [IPADDRESS] to allow an IP
- csf -d [IPADDRESS] to block an IP
- csf -dr [IPADDRESS] to unblock an IP
- csf -f to flush the rules, disabling the firewall
- csf -s to start the firewall
- csf -r to restart the firewall
- csf -x to disable CSF
- csf -e to enable CSF
- csf -c to check for a CSF update
And the main configuration files are:
- /etc/csf/csf.conf for the firewall configuration
- /etc/csf/csf.allow to allow IP addresses
- /etc/csf/csf.deny to deny IPs
Using CSF to scan for system vulnerabilities
CSF combines its firewall with a terrific tool to check for system delinquencies. Do this:
The former e-mails you a comprehensive html report, the latter alternative prints the html to the terminal for copying into somepage.html, for example if you want to share the report using your company intranet.
Alternatively, the Webmin module gives similar output. Here's a fraction:
Finally, as always, play it safe by uprooting the superuser with the exit command.
Good stuff. CSF isn't much of a headache to install and configure and makes for a very decent alternative to managing raw iptables.
In our pursuit for the ultimate in WordPress security (and peace of mind) we'll move right along to secure services (daemons) that sit on the remaining open ports, in Disable Daemons & Close Server Ports.
No sloping off now …