HOW TO SECURE A VPS: Set up a firewall

Most Linux-based operating systems have pre-installed firewalls (think iptables, firewalld, ufw, DebianFirewall). CSF (ConfigServer Firewall) is a similar firewall with the capability of integrating with control panels. This firewall works to provide better security for your VPS while giving you an advanced, intuitive interface for managing your firewall settings.

1: INSTALLING DEPENDENCY

Perl and libwww is a prerequisite while installing CSF on any of the supported distributions (RHEL and CentOS, openSUSE, Debian, and Ubuntu)
We therefore run the following commands before hand.

# yum install perl-libwww-perl –> REDHAT/CENTOS/FEDORA
# apt install libwww-perl –> UBUNTU/DEBIAN


2. Extract the CSF tarball

# tar xzf csf.tgz
# cd csf

3. Run the CSF Installation Script
This part of the process will check that all dependencies are installed, create the necessary directory structures and files for the web interface, detect currently open ports, and remind you to restart the csf and lfd daemons after you’re done with the initial configuration.
# sh install.sh
# perl /usr/local/csf/bin/csftest.pl


4: Disable Firewalld and Configure CSF
Disable firewalld if running and configure CSF.
# systemctl stop firewalld
# systemctl disable firewalld
Change TESTING = "1" to TESTING = "0" (otherwise, the lfd daemon will fail to start) and list allowed incoming and outgoing ports as a comma-separated list (TCP_IN and TCP_OUT, respectively) in /etc/csf/csf.conf.

5: Restart and Test CSF
# systemctl restart {csf,lfd}
# systemctl enable {csf,lfd}
# systemctl is-active {csf,lfd}
# csf -v

Setting up CSF and Intrusion Detection Rules

First off, you will want to inspect the current firewall rules as follows:

#csf -l

You can also stop them or reload them with:

#csf -f

#csf -r

respectively. Make sure to memorize these options – you will need them as you go along, particularly to check after making changes and restarting csf and lfd.

Allowing and Forbidding IP Addresses

To allow incoming connections from 192.168.0.10.

#csf -a 192.168.0.10

Similarly, you can deny connections originating from 192.168.0.11.

#csf -d 192.168.0.11

You can remove each of the above rules if you wish to do so.

#csf -ar 192.168.0.10

#csf -dr 192.168.0.11

Was this article helpful?

Related Articles

Leave A Comment?