Using ConfigServer Security & Firewall (CSF) with Virtualizor on Centos 7

October 2, 2017
Phil

Virtualizor is an excellent control panel for managing multiple virtual servers on one or more servers. It’s released by the same people that make the popular Softaculous auto-installer software. There is a built-in firewall system, but it’s probably the weakest aspect of the whole system.  I’m a big fan of CSF – provided free by Way to the Web Ltd.  The configuration is straightforward yet feature packed and is constantly updated.

Virtualizor & CSF – the perfect couple

Thankfully, it’s very easy to replace the built-in firewall with CSF so that you can have the best of both worlds.

Firstly, we need to install a few CentOS packages that CSF needs.

[user@server] sudo yum install unzip perl-libwww-perl bind-utils wget nano

Install CSF

Once completed we can install CSF using the commands below:

cd /usr/src
rm -fv csf.tgz
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

Now we need to configure the firewall to our needs.  This is done by editing the configuration files, I’d advise using nano.

Firstly edit the csf.allow file

[user@server] sudo nano /etc/csf/csf.allow

If you’re using a static IP, or a VPN with a static IP, add it here to ensure you maintain access.  Then Ctrl + O to save and Ctrl+ X to exit.

Next, you need to edit the main configuration file

[user@server] sudo nano /etc/csf/csf.conf

There are a few options you’ll need to change for this specific use, but you may wish to look at others at a later time.

TESTING = “1” should be altered to TESTING = “0” – this makes the firewall active
TCP_IN = “….” should be altered to only have the ports you need open. eg TCP_IN = “4083,4085” – these are the two SSL ports.  If you’re planning to use the LetsEncrypt! certificate feature, you’ll also need to open port 80 for that.  If you don’t have a static IP you may also wish to leave SSH open for you to access, 22.  As per the example in the configuration, just list the ports separated by commas.

Again, Ctrl + O to save and Ctrl+ X to exit.

Finally, we need to add an additional config file to allow CSF to work with Virtualizer.

[user@server] sudo nano /etc/csf/csfpost.sh

And add the following line:

/sbin/iptables -A FORWARD -m physdev --physdev-is-bridged -j ACCEPT

Again, Ctrl + O to save and Ctrl+ X to exit.

Reload CSF

[user@server] sudo csf -r

And you’re good to go.

No comments

Leave a Reply

Your email address will not be published. Required fields are marked *