Once you've disabled root login from SSH on your server, the next step is to install a basic firewall to filter out nasty incoming connections. This includes a "Login Failure Daemon" to watch out for repeated login errors and block out the IP addresses for a certain time. Configuring a CentOS firewall on a fresh installation is easy. You just need to have a little bit of background so you know what you're doing.
IPTables and CSF
Though there are many firewall management tools for Linux, they all rely on a more fundamental service called "iptables". By itself, Iptables can be rather complicated and difficult to use. So we're going to use a popular package called CSF (ConfigServer Security & Firewall) to manage Iptables on our behalf. It makes tasks such as opening a port, and blocking an IP address much easier than having to do it directly through Iptables.
Unlike Iptables, CSF can be easily configured through a single configuration file that already has several helpful defaults built into it. The syntax is easy to figure out and you can interact with CSF through the command line as well. In addition, the CSF package also has a login daemon that protects us against brute force attacks.
So let's start with installing CSF on a fresh CentOS server.
Step 1: Check if Perl is Installed
CSF relies on the Perl module, which usually comes installed with most Linux distros. Check and see whether or not it's installed using the following command:
rpm -q perl
This should give you the current version of Perl as shown here:
If Perl is not installed, it'll say so and you need to get it via the following command on CentOS:
yum install perl
Other Linux distros might not use the "yum" tool. For example, Ubuntu uses "apt-get".
Step 2: Removing other Firewalls
A fresh CentOS server probably doesn't have an active firewall. We can check iptables and see if there are any pre-existing firewall rules in place using the following command:
My empty server has zero iptables entries. That means it has no firewall. However, CentOS installations often come with a firewall called "firewalld". It's not currently active on my installation as you can see here:
systemctl status firewalld
You can see that it's installed, but inactive. If you know of any other firewalls that might be present on your installation, remove them now.
Step 3: Installing CSF
To install CSF and LFD, enter the following commands while having root permissions:
wget https://download.configserver.com/csf.tgz tar -xzf csf.tgz cd csf sh install.sh
Here's the output of all except the last command:
This will download csf from the repo and install CSF on your server. It won't be enabled yet however. To check if everything is ok, type the following command after installation:
Step 4: Prepping CSF by Disabling "Test Mode"
Just because CSF is installed, doesn't mean it will start automatically. To make it work, we need to disable "Test Mode" in the CSF config file. Open it using your favorite text editor. I personally use vim, so I type in:
Once the file /etc/csf/csf.conf is opened, scroll down to the line called TESTING = "1" and change "1" to "0" as shown here.
This disables test mode and allows the login daemon to work. Also, if you log in via SSH through a port other than 22, scroll down till you find the line starting with "TCP_IN", and add your port to the end of the comma separated list of numbers:
Step 5: Basic CSF Configuration
Before we enable the firewall, here are some configuration settings you can set right away in /etc/csf/csf.conf:
RESTRICT_SYSLOG = "1" SYSLOG_CHECK = "600" LF_POP3D = "1" LF_IMAPD = "1"
Save your changes and exit the editor. Now it's time to start CSF!
Step 6: Enabling CSF
Finally, it's time to enable CSF and LFD. To do this, type the following commands into the console:
systemctl start csf systemctl start lfd
And voilà! You know have an active CentOS firewall and login daemon. To check and see if it's working, we can refer once again to Iptables with:
And here's the output after enabling csf and lfd:
Remember that this list was empty at the beginning of this tutorial and now it's populated. Which means CSF is enabled and protecting your server from malicious activity.