How To Install CSF Firewall on AlmaLinux 10

ConfigServer Security & Firewall (CSF) represents one of the most comprehensive firewall solutions available for Linux servers, providing advanced security features and intrusion detection capabilities. AlmaLinux 10, with its robust enterprise-grade foundation, offers the perfect platform for implementing this powerful security tool. This comprehensive guide will walk you through the complete installation and configuration process of CSF on AlmaLinux 10, ensuring your server maintains optimal security while remaining accessible for legitimate traffic.

The combination of CSF’s stateful packet inspection firewall technology with AlmaLinux 10’s stability creates a formidable defense against cyber threats. Whether you’re managing a production server, development environment, or enterprise infrastructure, this tutorial will equip you with the knowledge to implement professional-grade firewall protection.

Understanding CSF Firewall

ConfigServer Security & Firewall stands as a sophisticated security solution that goes beyond traditional firewall functionality. At its core, CSF operates as a stateful packet inspection (SPI) firewall, monitoring and filtering network traffic based on connection state, port, and protocol information.

The firewall’s architecture includes several key components that work together to provide comprehensive protection. The Login Failure Daemon (LFD) continuously monitors authentication attempts, automatically blocking IP addresses that exhibit suspicious behavior patterns. This intrusion detection system proves particularly effective against brute force attacks targeting SSH, FTP, and web-based services.

CSF’s advanced features distinguish it from simpler firewall solutions. The system includes real-time process monitoring, which tracks system resources and can automatically restart services or block processes that consume excessive resources. Connection tracking capabilities allow administrators to monitor active connections and identify potential security threats.

Compared to other firewall solutions like iptables, firewalld, or UFW, CSF provides a more user-friendly interface while maintaining enterprise-level functionality. The web-based management interface simplifies complex firewall rule management, making it accessible to both experienced system administrators and those newer to Linux security.

AlmaLinux 10 Prerequisites and System Requirements

Before beginning the CSF installation process, ensure your AlmaLinux 10 system meets the necessary requirements for optimal performance and compatibility. AlmaLinux 10 provides enhanced security features and improved hardware support, making it an ideal foundation for CSF deployment.

System requirements include a minimum of 512MB RAM, though 1GB or more is recommended for production environments handling moderate to heavy traffic. The system should have at least 2GB of available disk space to accommodate CSF installation files, log storage, and temporary files.

Administrative access is essential for CSF installation and configuration. You must have root privileges or sudo access to install packages, modify system configurations, and manage firewall services. Network connectivity is required to download CSF packages and updates from the official ConfigServer repository.

Before proceeding, verify that your AlmaLinux 10 system doesn’t have conflicting firewall services running. The default firewalld service can interfere with CSF operation and should be disabled during the installation process.

Pre-Installation Steps

Proper system preparation ensures smooth CSF installation and prevents common configuration issues. Begin by updating your AlmaLinux 10 system to the latest package versions, which includes security patches and compatibility improvements:

sudo dnf update -y && sudo dnf upgrade -y

This command updates the package repository cache and installs the latest versions of all installed packages.

Next, disable the default firewalld service to prevent conflicts with CSF. AlmaLinux 10 ships with firewalld enabled by default, which can cause port binding conflicts and unexpected behavior:

sudo systemctl stop firewalld
sudo systemctl disable firewalld
sudo systemctl mask firewalld

The masking command prevents firewalld from being accidentally started by other services or system processes.

Install the required Perl modules and dependencies that CSF needs for proper operation. These packages provide essential functionality for CSF’s monitoring and management features:

sudo dnf install perl perl-libwww-perl perl-LWP-Protocol-https perl-Math-BigInt wget tar unzip net-tools iptables -y

Some AlmaLinux 10 installations may require additional Perl modules. Install the comprehensive development tools to ensure compatibility:

sudo dnf groupinstall "Development Tools" -y
sudo dnf install perl-CPAN perl-GDGraph -y

These packages provide the foundation for CSF’s advanced features, including graphical reporting and enhanced logging capabilities.

CSF Installation Process

Download the latest CSF package directly from the official ConfigServer repository. Using the official source ensures you receive the most recent security updates and compatibility improvements:

cd /usr/src
sudo wget https://github.com/waytotheweb/scripts/blob/main/csf.tgz

The /usr/src directory provides a standard location for source code and installation files, following Linux Filesystem Hierarchy Standard conventions.

Extract the downloaded archive using the tar command with appropriate options for gzip compression:

sudo tar -xzf csf.tgz

Navigate to the extracted CSF directory, which contains the installation scripts and configuration files:

cd csf

Execute the installation script with root privileges. The install.sh script automatically configures CSF for your system architecture and creates necessary directories:

sudo sh install.sh

The installation process creates several important directories and files. CSF configuration files are stored in /etc/csf/, executable scripts in /usr/local/csf/bin/, and log files in /var/log/. The installer also creates systemd service files for automatic startup management.

Verify the installation completed successfully by checking the CSF version and testing system compatibility:

sudo perl /usr/local/csf/bin/csftest.pl

This compatibility test verifies that all required kernel modules are available and that CSF can properly interface with the iptables subsystem. A successful test displays “RESULT: csf should function on this server”.

Basic CSF Configuration

CSF’s main configuration file, located at /etc/csf/csf.conf, contains hundreds of configuration options that control firewall behavior, security policies, and monitoring settings. Open this file using your preferred text editor:

sudo nano /etc/csf/csf.conf

The first critical setting to modify is the TESTING parameter. By default, CSF operates in testing mode, which provides limited functionality and prevents the Login Failure Daemon from starting:

TESTING = "0"

Changing this value from “1” to “0” enables full CSF functionality and allows the system to actively block threats.

Configure the default TCP policies for incoming and outgoing connections. These settings define which ports remain open for network communication:

TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"
TCP_OUT = "20,21,22,25,37,43,53,80,110,113,443,587,873"

The TCP_IN directive specifies ports that accept incoming connections. Common services include SSH (22), HTTP (80), HTTPS (443), and email protocols. The TCP_OUT directive controls outgoing connections, typically allowing web browsing, email, and DNS queries.

Configure UDP policies for connectionless protocols:

UDP_IN = "20,21,53"
UDP_OUT = "20,21,53,113,123"

UDP is primarily used for DNS queries (53), NTP time synchronization (123), and certain file transfer protocols.

Set up basic security policies for connection handling:

DENY_IP_LIMIT = "200"
DENY_TEMP_IP_LIMIT = "100"
PACKET_FILTER = "1"

These settings limit the number of blocked IPs stored in memory and enable packet filtering for enhanced security.

Advanced Security Configuration

CSF’s intrusion detection capabilities provide sophisticated protection against various attack vectors. Configure the Login Failure Daemon settings to automatically respond to authentication failures:

LF_TRIGGER = "5"
LF_SSHD = "5"
LF_FTPD = "10"
LF_SMTPAUTH = "5"
LF_POP3D = "10"
LF_IMAPD = "10"
LF_HTACCESS = "5"
LF_MODSEC = "5"

These settings define the number of failed login attempts that trigger automatic IP blocking. Lower values provide stricter security but may cause legitimate users to be blocked due to typing errors.

Configure the blocking duration and permanent ban thresholds:

LF_TRIGGER_PERM = "20"
LF_TRIGGER_BLOCK = "3600"
LF_PERMBLOCK = "1"

The LF_TRIGGER_PERM setting determines how many times an IP must be temporarily blocked before receiving a permanent ban. LF_TRIGGER_BLOCK sets the temporary block duration in seconds.

Enable process monitoring to detect resource abuse and potential security threats:

PT_LIMIT = "60"
PT_USERPROC = "10"
PT_USERMEM = "200"
PT_USERTIME = "1800"

Process tracking monitors CPU usage, memory consumption, and execution time, automatically terminating or blocking processes that exceed defined limits.

Configure email alerting to receive notifications about security events:

LF_ALERT_TO = "admin@yourdomain.com"
LF_ALERT_FROM = "csf@yourdomain.com"
ALERT_SYSTEM_LOAD = "5"
ALERT_LOG_LINES = "250"

Email alerts provide real-time notification of blocked IPs, system resource alerts, and configuration changes.

Port Management and Network Rules

Effective port management forms the foundation of network security. CSF provides multiple methods for managing port access, including temporary rules, permanent configurations, and service-specific settings.

Add commonly used web services to your allowed ports list. For a typical web server configuration:

TCP_IN = "22,25,53,80,110,143,443,465,587,993,995,2082,2083,2086,2087,2095,2096"

This configuration includes standard web hosting ports: SSH (22), SMTP (25), DNS (53), HTTP (80), HTTPS (443), and various email and control panel ports.

For custom SSH port configurations, update both the CSF configuration and SSH daemon settings:

# In /etc/csf/csf.conf
TCP_IN = "2222,80,443"  # Replace 22 with your custom SSH port

# In /etc/ssh/sshd_config
Port 2222

Remember to restart the SSH service after making changes, but maintain your current connection until verifying the new configuration works.

Configure port ranges for services that require multiple consecutive ports:

TCP_IN = "80,443,8000:8010,3000:3100"

This syntax allows port ranges, useful for applications that dynamically allocate ports within specific ranges.

Use CSF’s temporary port opening feature for maintenance tasks:

sudo csf -ta 192.168.1.100 22
sudo csf -tp 8080

These commands temporarily allow specific IPs or open ports for limited periods, automatically reverting after the specified duration.

Starting and Managing CSF Services

CSF operates through two primary services: csf (the firewall engine) and lfd (the Login Failure Daemon). Both services must be enabled and started for full functionality.

Enable both services for automatic startup:

sudo systemctl enable csf
sudo systemctl enable lfd

Start the services and verify their status:

sudo systemctl start csf
sudo systemctl start lfd
sudo systemctl status csf
sudo systemctl status lfd

The status commands display service state, recent log entries, and any error messages that might indicate configuration problems.

Use CSF’s built-in commands for common management tasks:

sudo csf -r    # Restart CSF and apply configuration changes
sudo csf -s    # Start CSF
sudo csf -f    # Stop CSF (flush all rules)
sudo csf -l    # List current firewall rules
sudo csf -e    # Enable CSF
sudo csf -x    # Disable CSF

These commands provide quick access to essential firewall operations without requiring systemctl commands.

Monitor CSF operation through log files:

sudo tail -f /var/log/lfd.log
sudo tail -f /var/log/messages | grep csf

Log monitoring helps identify blocked connections, configuration errors, and potential security threats.

Testing and Verification

Comprehensive testing ensures CSF operates correctly and provides expected security protection. Begin with the built-in compatibility test to verify all system components function properly:

sudo perl /usr/local/csf/bin/csftest.pl

This test checks iptables modules, Perl dependencies, and system compatibility. Address any reported issues before proceeding with production deployment.

Test port accessibility from external systems using tools like nmap or telnet. From another system, scan your server to verify only intended ports are accessible:

nmap -p 1-65535 your-server-ip

Compare the results with your TCP_IN configuration to ensure CSF properly implements your security policies.

Verify SSH access functions correctly, especially if you’ve changed the default port. Test connections from your regular IP address and from a different IP to confirm both allow lists and blocking mechanisms work as expected:

ssh -p 22 user@your-server-ip    # Test standard port
ssh -p 2222 user@your-server-ip  # Test custom port if configured

Monitor CSF’s real-time blocking by generating intentional failed login attempts from a test IP address:

# From test system, attempt invalid SSH login several times
ssh invalid_user@your-server-ip

Check the lfd.log file to confirm CSF detects and blocks the offending IP address.

Test the temporary IP allow feature by blocking your own IP and then adding it to the temporary allow list:

sudo csf -d your-ip-address     # Block your IP
sudo csf -ta your-ip-address    # Temporarily allow your IP

This test verifies CSF’s IP management functionality works correctly in emergency situations.

Optimization and Best Practices

Optimize CSF configuration for your specific environment and security requirements. Fine-tune connection limits to balance security with usability:

CC_LOOKUPS = "1"
CC_SRC = "1"
CC_DENY = "CN,RU,KP"  # Block specific countries if desired
CONNLIMIT = "80;5,443;10"  # Limit concurrent connections per IP

Country code blocking can reduce unwanted traffic, but use this feature carefully to avoid blocking legitimate users.

Configure log rotation to prevent disk space issues:

SYSLOG_CHECK = "300"
LOGFLOOD_ALERT = "0"
ROTATELOGS_COMPRESSION = "1"

Regular log rotation prevents CSF logs from consuming excessive disk space while maintaining security audit trails.

Implement automated backup procedures for CSF configuration:

#!/bin/bash
# Create daily CSF configuration backup
cp -r /etc/csf/ /backup/csf-$(date +%Y%m%d)/
tar -czf /backup/csf-config-$(date +%Y%m%d).tar.gz /etc/csf/

Regular backups ensure quick recovery from configuration errors or system failures.

Monitor system performance impact and adjust settings accordingly:

PT_LOAD = "30"
PT_LOAD_ACTION = "1"
PT_LOAD_LEVEL = "6"

These settings help CSF respond to high system load conditions while maintaining security protection.

Troubleshooting Common Issues

CSF installation and configuration can encounter various issues, particularly on newer distributions like AlmaLinux 10. Address common problems systematically to ensure reliable operation.

If CSF fails to start, check for conflicting firewall services:

sudo systemctl status firewalld
sudo systemctl status iptables
sudo systemctl list-units --type=service | grep -i firewall

Disable any competing firewall services and restart CSF:

sudo systemctl stop firewalld
sudo systemctl disable firewalld
sudo systemctl restart csf

Module loading errors often indicate missing kernel modules or incompatible iptables versions:

sudo modprobe ip_tables
sudo modprobe iptable_filter
sudo modprobe iptable_nat
sudo modprobe ip_conntrack

Load required modules manually and add them to /etc/modules-load.d/ for automatic loading.

Console message flooding can overwhelm system logs and terminal sessions. Disable verbose logging if not required for troubleshooting:

SYSLOG = "0"
CONSOLE = "0"

Alternatively, configure rsyslog to filter CSF messages to separate log files.

Port blocking issues often result from incorrect configuration syntax or conflicting rules. Verify port syntax and check for duplicates:

sudo csf -l | grep -E "ACCEPT|REJECT" | sort

Use CSF’s built-in syntax checking before applying changes:

sudo csf -t    # Test configuration without applying

IP blocking problems may occur when legitimate IPs get blocked due to strict settings. Temporarily allow blocked IPs while investigating:

sudo csf -tr ip-address    # Remove from temp block list
sudo csf -ar ip-address    # Remove from permanent block list
sudo csf -a ip-address     # Add to permanent allow list

Regular monitoring of blocked IP lists helps identify and resolve false positive blocks.

Security Considerations and Maintenance

Maintaining CSF security requires ongoing attention to updates, monitoring, and configuration refinement. Establish regular maintenance procedures to ensure continued protection effectiveness.

Schedule automatic CSF updates by configuring the built-in update mechanism:

AUTO_UPDATES = "1"
AUTOUPDATE_INTERVAL = "7"  # Check weekly

Regular updates ensure CSF includes the latest security patches and feature improvements.

Implement comprehensive log monitoring and alerting:

# Create log analysis script
#!/bin/bash
grep -E "Blocked|Permanent" /var/log/lfd.log | tail -50
grep "Failed" /var/log/secure | tail -20

Regular log analysis helps identify attack patterns and adjust security policies accordingly.

Configure backup and recovery procedures for CSF configurations:

# Weekly configuration backup
0 2 * * 0 /usr/bin/tar -czf /backup/csf-$(date +\%Y\%m\%d).tar.gz /etc/csf/

Automated backups enable quick recovery from configuration corruption or accidental changes.

Establish security audit procedures to review CSF effectiveness:

# Monthly security audit checklist
sudo csf -l | wc -l          # Count active rules
sudo grep "Blocked" /var/log/lfd.log | wc -l  # Count blocked attempts
sudo csf -g                  # Show current configuration summary

Regular audits help identify security gaps and optimization opportunities.

Advanced Configuration Scenarios

For complex environments, CSF supports advanced configuration scenarios that provide enhanced security and functionality. Configure cluster synchronization for multiple servers:

CLUSTER_SENDTO = "server1.domain.com,server2.domain.com"
CLUSTER_RECVFROM = "server1.domain.com,server2.domain.com"
CLUSTER_KEY = "your-secure-cluster-key"

Cluster configuration ensures consistent security policies across multiple servers, with automatic synchronization of blocked IP lists and configuration changes.

Implement geographic IP blocking for enhanced security:

CC_DENY = "CN,RU,KP,IR"  # Block specific country codes
CC_ALLOW_FILTER = "US,CA,GB,DE,FR"  # Allow only specific countries
CC_ALLOW_PORTS = "80,443"  # Apply geographic filtering to specific ports

Geographic filtering reduces unwanted traffic but requires careful consideration of legitimate user locations.

Configure advanced intrusion detection with custom rules:

# Custom log monitoring
CUSTOM1_LOG = "/var/log/apache2/access.log"
CUSTOM1_REGEX = "GET.*\.\.(\/|\\)"  # Directory traversal attempts

Custom monitoring rules enable CSF to respond to application-specific attack patterns and security events.

Congratulations! You have successfully installed the CSF Firewall. Thanks for using this tutorial for installing the CSF Firewall on your AlmaLinux OS 10 system. For additional or useful information, we recommend you check the official CSF Firewall website.