Installation CSF Firewall on CentOS
The guide below is applicable to systems running CentOS5, CentOS 6 and CentOS 7.
The ConfigServer Security & Firewall is a popular open source Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application, compatible with most Linux servers.
CSF can be fully configured to block/restrict ports you don't want open. CSF includes the
Login Failure Daemon (LFD), which will scan log files and monitor failed login attempts, such as login attempts for FTP and E-Mail accounts, and it will block the IP according to the rules you have setup. CSF also offers Connection Limiting, Real Time Block Lists and Port Scan tracking and much more.
CSF can be easily managed from within its GUI, which is fully compatible with:
- DirectAdmin
- CPanel
- WebMin/Virtualmin.
In order to avoid any conflicts in operation it is important to remove your current firewall. If you are using a different software firewall be sure to follow that programs uninstall directions before continuing. After completing the uninstallation routine continue with the CSF installation procedure outlined below.
Note: This guide assumes you are familiar with
SSH and basic command line navigation. These instructions apply primarily to customers who have
Virtual Private Servers or
Dedicated servers. If you do not have root-level access you will
not be able to make these changes.
1. Installation
1.1 Install Dependencies
Begin by installing the required dependencies for the CSF Firewall:
CentOS, RHEL 5 and 6
yum install perl-libwww-perl
Alternatively, libwww can be installed using CPAN:
perl -MCPAN -e 'install Bundle::LWP'
CentOS, RHEL 7
yum -y install wget perl unzip net-tools perl-libwww-perl perl-LWP-Protocol-https perl-GDGraph -y
1.2 Install CSF Firewall
Download the CSF archive to the
/tmp folder of your server by using
wget, unpack the archive by issuing the
TAR command and finally install CSF by starting the
./install.sh setup script.
cd /tmp
wget
https://download.configserver.com/csf.tgz
tar zxvf csf.tgz
cd csf
./install.sh
You can now remove the installation files:
rm -rf /tmp/csf
rm /tmp/csf.tgz
1.3 Install Module
Operating Systems
Operating systems supported by DirectAdmin are listed in the table below.
OS | Versions |
---|
CloudLinux | 6.x 32/64-bit, 7.x 64-bit |
RedHat Enterprise / CentOS | 6.x 32/64-bit, 7.x 64-bit |
Debian | 8.x 64-bit, , 9.x 64-bit |
Ubuntu | 12, 14, 16.04 |
FreeBSD | 11.x 64-bit |
IP address support
In order for DirectAdmin to be able to run on your system, 3 things must be true:
- The licensed IP must exist on the server. Type /sbin/ifconfig, and you should see the licensed IP in the output
- The licensed IP must function and be able to be bound to, eg:
wget --bind-address=1.2.3.4 http://www.directadmin.com/index.html
- the IP that connects to our server must be the licensed IP
DirectAdmin can run on a LAN/NAT, but requires some non-standard steps to get it running. More information can be found on
this page.
2. Installation Procedure
Make sure your license information is correct!
If you have purchased your license directly from DirectAdmin.com, sign into your client account at
https://www.directadmin.com/clients
and click the "view" link next to your license. Verify that the server
IP address and operating system is correct. Also make sure that the
license is Active and Verified (if it isn't, you need to contact Direct
Admin support).
If you have a problem with a license obtained through us, please contact
Woktron Support.
2.1 Update CentOS
yum update
2.2 install dependencies
Begin by installing the required
dependencies for Directadmin:
On Rehat/Fedora/CentOS 6
yum install wget gcc gcc-c++ flex bison make bind bind-libs bind-utils openssl openssl-devel perl quota libaio \
libcom_err-devel libcurl-devel gd zlib-devel zip unzip libcap-devel cronie bzip2 cyrus-sasl-devel perl-ExtUtils-Embed \
autoconf automake libtool which patch mailx bzip2-devel lsof glibc-headers kernel-devel expat-devel db4-devel
The libcom_err-devel package is required for CentOS 6.
CentOS 7
yum install wget gcc gcc-c++ flex bison make bind bind-libs bind-utils openssl openssl-devel perl quota libaio \
libcom_err-devel libcurl-devel gd zlib-devel zip unzip libcap-devel cronie bzip2 cyrus-sasl-devel perl-ExtUtils-Embed \
autoconf automake libtool which patch mailx bzip2-devel lsof glibc-headers kernel-devel expat-devel psmisc net-tools systemd-devel libdb-devel perl-DBI perl-Perl4-CoreLibs xfsprogs rsyslog logrotate crontabs file kernel-headers
Debian 6
apt-get install gcc g++ make flex bison openssl libssl-dev perl perl-base perl-modules libperl-dev libaio1 libaio-dev \
zlib1g zlib1g-dev libcap-dev bzip2 automake autoconf libtool cmake pkg-config python libreadline-dev libdb4.8-dev libsasl2-dev patch
Debian 7
apt-get install gcc g++ make flex bison openssl libssl-dev perl perl-base perl-modules libperl-dev libaio1 libaio-dev \
zlib1g zlib1g-dev libcap-dev bzip2 automake autoconf libtool cmake pkg-config python libdb-dev libsasl2-dev libncurses5-dev patch libjemalloc-dev
Debian 8
apt-get install gcc g++ make flex bison openssl libssl-dev perl perl-base perl-modules libperl-dev libaio1 libaio-dev \
zlib1g zlib1g-dev libcap-dev cron bzip2 automake autoconf libtool cmake pkg-config python libdb-dev libsasl2-dev \
libncurses5-dev libsystemd-dev bind9 dnsutils quota libsystemd-daemon0 patch libjemalloc-dev logrotate rsyslog libc6-dev
You might need to remove libsystemd-dev from the list, if apt-get cannot find it.
Debian 9
apt-get update
apt-get install gcc g++ make flex bison openssl libssl-dev perl perl-base perl-modules libperl-dev libperl4-corelibs-perl libaio1 libaio-dev \
zlib1g zlib1g-dev libcap-dev cron bzip2 automake autoconf libtool cmake pkg-config python libdb-dev libsasl2-dev \
libncurses5-dev libsystemd-dev bind9 dnsutils quota patch libjemalloc-dev logrotate rsyslog libc6-dev libexpat1-dev \
libcrypt-openssl-rsa-perl libnuma-dev libnuma1 bsd-mailx
Debian 10 - not yet officially supported
apt-get update
apt-get install gcc g++ make flex bison openssl libssl-dev perl perl-base perl-modules libperl-dev libperl4-corelibs-perl libaio1 libaio-dev \
zlib1g zlib1g-dev libcap-dev cron bzip2 automake autoconf libtool cmake pkg-config python libdb-dev libsasl2-dev \
libncurses5-dev libsystemd-dev bind9 dnsutils quota patch logrotate rsyslog libc6-dev libexpat1-dev \
libcrypt-openssl-rsa-perl libnuma-dev libnuma1 bsd-mailx
FreeBSD
FreeBSD tends to have everything needed, and the need to run pre-install commands is less common.
Custombuild does require gmake, but will try to install it with
dpkg -r or
ports if it's missing. If needed:
pkg_add -r gmake perl wget bison flex gd cyrus-sasl2 cmake python autoconf libtool libarchive mailx
FreeBSD 10
pkg install gcc gmake perl5 wget bison flex cyrus-sasl cmake python autoconf libtool libarchive iconv bind99 mailx
FreeBSD 11
pkg install gcc gmake perl5 wget bison flex cyrus-sasl cmake python autoconf libtool libarchive iconv bind911 mailx webalizer gettext-runtime
FreeBSD 12
pkg install gcc gmake perl5 wget bison flex cyrus-sasl cmake python autoconf libtool libarchive iconv bind911 mailx webalizer gettext-runtime
2.3 install DirectAdmin
Before continuing ensure that SELINUX is
disabled
This can be done using the sed command:
sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config
Continue by downloading the DirectAdmin setup routine using
wget, set file permissions to writable with
chmod and finally startup the setup routine by issuing the
./setup.sh command:
wget
http://www.directadmin.com/setup.sh
chmod 755 setup.sh
./setup.sh
Hint: Use fetch instead of wget on FreeBSD systems
After the setup routine starts you will be presented with a number of options:
1. Enter your
license details (Client ID and License ID).
2. Enter your
hostname
Important: The hostname should not be the same as the primary domain name. e.g.
woktron.com is not a valid hostname, where
myserver.woktron.com
is. Having the same host/main domain name will cause e-mail and FTP
problems. Also, please make sure the hostname resolves once you setup
DNS.
3. Enter your
network interface (usually ETH0). When using a Virtual Private Server (VPS) you should select the respective virtual network port:
venet0:0 (the usual option)
venet0:1