We’ve just finished installing cPanel/WHM on a CenOS machine so the next logical step would be to install some security protection. The tool of choice nowadays is CSF(ConfigServer Security & Firewall) which is an SPI iptables firewall developed by Way to the Web Limited. This is a short guide which describes how to install CSF on CentOS and verify that is working properly.
The first step would be to download CSF from their site using wget. The output should be something similar to this:
[root@web ~]# wget http://www.configserver.com/free/csf.tgz
--2015-01-25 02:34:51-- http://www.configserver.com/free/csf.tgz
Resolving www.configserver.com (www.configserver.com)... 220.127.116.11
Connecting to www.configserver.com (www.configserver.com)|18.104.22.168|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://download.configserver.com/csf.tgz [following]
--2015-01-25 02:34:51-- http://download.configserver.com/csf.tgz
Resolving download.configserver.com (download.configserver.com)... 22.214.171.124
Connecting to download.configserver.com (download.configserver.com)|126.96.36.199|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 601886 (588K) [application/x-gzip]
Saving to: ‘csf.tgz’
100%[==================================================================================================================>] 601,886 489KB/s in 1.2s
2015-01-25 02:34:52 (489 KB/s) - ‘csf.tgz’ saved [601886/601886]
It’s a small file so the download should finish immediately. Next we’ll extract the archive using tar, change directory and install CSF on CentOS :
[root@web ~]# tar -xzf csf.tgz
[root@web ~]# cd csf
[root@web csf]# sh install.sh
We will edit the configuration file located under /etc/csf/csf.conf and add your SSH port to the exceptions list(In case we’re using something else than the default 22). Once that’s done and we’ve went through all the options in the configuration file we can adjust the following variable:
TESTING = "0"
and restart the service using csf -r. This would disable testing mode and the firewall is ready for use.
There are many options and we can also configure alerts and messages content that we receive in your email by altering the template files that exist within /etc/csf/ folder.