How to install CSF on CentOS 7 Linux

In this tutorial, we are going to install CSF on Centos7 Linux. CSF is a great Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers.
we use latest version of csf. CSF as a lot of great features like:

  • SSH login notification
  • SU login notification
  • SYN Flood protection
  • Ping of death protection
  • Port Scan tracking and blocking
  • Permanent and Temporary (with TTL) IP blocking
  • Temporary IP allows (with TTL)
  • IPv6 Support with ip6tables
  • Integrated with the CloudFlare Firewall

for mor information go here:

1- CSF preparation

Stop and disable firewalld.

# systemctl disable firewalld
# systemctl stop firewalld

Install iptables-services.

# yum install iptables-services

Create files required by iptables.

# touch /etc/sysconfig/iptables
# touch /etc/sysconfig/ip6tables

Start iptables.

# systemctl start iptables
# systemctl start ip6tables

Enable iptables at boot.

# systemctl enable iptables
# systemctl enable ip6tables

2- Install CSF

Install the CSF dependencies.

# yum install wget perl unzip net-tools perl-libwww-perl perl-LWP-Protocol-https perl-GDGraph

Download and launch the CSF installer.

# cd /opt
# wget
# tar -xzf csf.tgz
# cd csf
# sh

Remove the installation files.

# rm -rf /opt/csf
# rm /opt/csf.tgz
# perl /usr/local/csf/bin/

The expected output of the above command would be:

Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

RESULT: csf should function on this server
Change TESTING = “1” to TESTING = “0” (otherwise, the lfd daemon will fail to start) and list allowed incoming and outgoing ports as a comma-separated list (TCP_IN and TCP_OUT, respectively) in /etc/csf/csf.conf as shown in the below output:

Testing flag – enables a CRON job that clears iptables incase of configuration problems when you start csf. This should be enabled until you are sure that the firewall works – i.e. incase you get locked out of your server! Then do remember to set it to 0 and restart csf when you’re sure everything is OK. Stopping csf will remove the line from /etc/crontab

3- CSF configuration

lfd (login failure daemon) will not start while this is enabled

# TESTING = "0"

Allow incoming TCP ports

# TCP_IN = "21,22,25,80,110,143,443,465,587,636,990,993,995"

Allow outgoing TCP ports

# TCP_OUT = "21,22,25,80,110,143,443,465,587,636,990,993,995"

Allow incoming UDP ports

# UDP_IN = "20,21,53"

Allow outgoing UDP ports
To allow outgoing traceroute add 33434:33523 to this list

# UDP_OUT = "20,21,53"

Restart and Test CSF

# systemctl restart {csf,lfd}
# systemctl enable {csf,lfd}
# systemctl is-active {csf,lfd}
# csf -v

4- Temporarily disable CSF

if you want to disable CSF temporarily, you could use:

# csf -x

5- Apply change and reload CSF

any time you make change to csf config, you need to reload csf. so issue the following command:

# csf -r