How To Install CSF Firewall on Fedora 40

In this tutorial, we will show you how to install CSF Firewall on Fedora 40. In today’s digital landscape, securing your Fedora server is of utmost importance. One powerful tool that can help fortify your system is ConfigServer Security & Firewall (CSF). CSF is a versatile firewall solution that provides an advanced interface for managing iptables rules, making it easier to control incoming and outgoing traffic.

This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo‘ to the commands to get root privileges. I will show you the step-by-step installation of the CSF Firewall on a Fedora 40.

Prerequisites

Before diving into the installation process, let’s ensure that you have everything you need:

• A server running one of the following operating systems: Fedora 40.
• It’s recommended that you use a fresh OS install to prevent any potential issues.
• You will need access to the terminal to execute commands. Fedora 40 provides the Terminal application for this purpose. It can be found in your Applications menu.
• A network connection or internet access to download the CSF Firewall package.
• A non-root sudo user or access to the root user. We recommend acting as a non-root sudo user, however, as you can harm your system if you’re not careful when acting as the root.

Install CSF Firewall on Fedora 40

Step 1. Keeping your system up-to-date is crucial for security and stability. Start by running the following command to update your Fedora 40 installation:

sudo dnf clean all
sudo dnf update

Step 2. Disable Firewalld.

It’s crucial to disable any existing firewalls, such as firewalld, to prevent potential conflicts with CSF. To disable firewalld, execute the following commands:

sudo systemctl stop firewalld
sudo systemctl disable firewalld

Step 3. Installing Necessary Dependencies.

Install the necessary dependencies using the dnf package manager. Open a terminal and run the following command:

sudo dnf install wget perl unzip net-tools perl-libwww-perl perl-LWP-Protocol-https perl-GDGraph

This command installs essential packages like wget, perl, unzip, net-tools, and required Perl modules.

Step 4. Installing CSF Firewall on Fedora 40.

Now download the latest version of CSF using the wget command. Execute the following command in the terminal:

wget https://download.configserver.com/csf.tgz

Extract the downloaded archive using the tar command:

tar -xzf csf.tgz

Navigate to the extracted CSF directory:

cd csf

Run the CSF installation script as the root user:

sudo sh install.sh

Once the installation is complete, verify that CSF is functioning correctly by running the csftest.pl script:

sudo perl /etc/csf/csftest.pl

If the installation was successful, you should see the message “RESULT: csf should function on this server” at the end of the output.

Step 5. CSF Configuration.

After installing CSF, it’s time to configure the firewall settings according to your server’s requirements. The main configuration file for CSF is located at /etc/csf/csf.conf. Open this file using a text editor with root privileges:

sudo nano /etc/csf/csf.conf

Here are some key settings you should review and modify:

• Enable the firewall by setting TESTING to “0”:

TESTING = "0"

• Configure the incoming and outgoing ports that should be allowed through the firewall. Modify the TCP_IN, TCP_OUT, UDP_IN, and UDP_OUT options to specify the ports you want to permit. For example, to allow incoming SSH (port 22), HTTP (port 80), and HTTPS (port 443) traffic, set:

TCP_IN = "22,80,443"

• If you want CSF to send email alerts, configure the SMTP settings accordingly. Modify the SMTP_BLOCK, SMTP_ALLOWLOCAL, and SMTP_PORTS options to match your email server’s configuration.
• CSF can detect and block login failures to enhance security. Customize the login failure detection settings by modifying options like LF_DAEMON, LF_SSH_EMAIL_ALERT, etc. For example, to enable login failure detection for SSH and receive email alerts, set:

LF_DAEMON = "sshd"
LF_SSH_EMAIL_ALERT = "1"

• Adjust the global allow and deny settings using the GLOBAL_ALLOW and GLOBAL_DENY options. These settings determine which IP addresses or ranges are allowed or blocked by default.

GLOBAL_ALLOW = "192.168.0.0/24"
GLOBAL_DENY = "NONE"

Save the changes to the csf.conf file and exit the text editor.

Step 6. Managing CSF via Command Line.

CSF provides a set of command-line tools to manage the firewall efficiently. Here are some essential commands you should be familiar with:

• Enable the firewall:

sudo csf -e

• Disable the firewall:

sudo csf -d

• Restart the firewall:

sudo csf -r

• Add an IP address to the allow list:

sudo csf -a 192.168.0.100

• Block an IP address:

sudo csf -d 192.168.0.200

• Search for an IP address in the allow and deny lists:

sudo csf -g 192.168.0.100

• List the current firewall rules:

sudo csf -l

In addition to these commands, you can manually edit the csf.allow and files to add or remove IP addresses from the respective lists. For example, to allow the IP address 192.168.0.150, add the following line to the csf.allow file:

192.168.0.150 # Trusted IP

To check the status of CSF and view logs, use the following commands:

sudo systemctl status csf

Step 7. CSF Web UI.

CSF offers a web-based user interface that simplifies firewall management tasks. To install and enable the CSF web UI, follow these steps:

sudo sh /etc/csf/ui/install.sh

By default, the CSF web UI listens on port 6080. You can access it using a web browser by navigating to:

http://your_server_ip:6080

Log in to the CSF web UI using your root credentials.

Congratulations! You have successfully installed the CSF Firewall. Thanks for using this tutorial for installing the CSF Firewall on your Fedora 40 system. For additional or useful information, we recommend you check the official CSF Firewall website.