Hardening Your Hosting Environment (without killing yourself) Step 2: The Firewall

Secured LinuxLast time we discussed updating your packages. Now it’s time to setup your firewall. In this step we are going to install a SPI (Stateful Packet Inspection) Firewall program, CSF.

It is worth noting that CSF is by no means the only option, however it offers a robust feature set along with some fantastic management options from within WHM, all for the low price of free.  With that being said, I should mention that it’s almost a misnomer to call CSF an SPI firewall, as the true firewall is the iptables program that is installed with your RedHat based OS.  Iptables however is not stateful, so CSF brings some much needed SPI to the party.  As this is a very robust program I am unable to give this the full discussion it deserves, so at the very least we can go through the basic install and initial configuration.  For starters, let’s head to /usr/local/bin where binaries are supposed to go:

cd /usr/local/bin

From here we wget the file from CSF’s online repository and then unpack the zipped tarball file:

wget http://www.configserver.com/free/csf.tgz
tar -xvzf csf.tgz

Now you should see that there is a new directory containing the necessary binaries.  Luckily for us, we don’t need to do any complicated compiling or worrying about dependency resolution as they’ve offered us a neat little installer script.  Just cd into the directory and run the script:

cd csf
sh install.sh

Now the program is installed, but it isn’t going to do anything just yet.  Before we can configure or start the program, let’s take just a second to make sure it’s going to run properly.  This is a part of the installation process that is often overlooked, and like most precautionary measures won’t be seen as crucial to the process until one breaks:

perl /etc/csf/csftest.pl

This will tell you if you’re ready to go.  If so, we take the program out of its default testing mode by using the editor of your choice and changing



in /etc/csf/csf.conf.  More advanced users can use the ‘sed’ utility to make this change without going into any editors, however caution is always advised when using a tool as powerful as sed.  Now, we can go ahead and start/enable csf with the following command:

csf -r
csf -e

Now your firewall is statefully inspecting packets, which serves to keep those pesky brute force bots at bay.  Again, CSF is a full featured program with a decent amount of complexity, so some reading here is advised to make the absolute most of your new firewall program:

We are hurdling towards the finish line with one more step to go. Next time we will discuss obfuscating your SSH access.